6.5

CVE-2023-34212

EPSS 1.11%
Veröffentlicht 12.06.2023 16:15:10
Zuletzt bearbeitet 13.02.2025 17:16:35
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Nifi Version >= 1.8.0 <= 1.21.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.11%	0.772

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://www.openwall.com/lists/oss-security/2023/06/12/2

Third Party Advisory

Mailing List

https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5

Vendor Advisory

Mailing List

https://nifi.apache.org/security.html#CVE-2023-34212

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-34212

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-34212

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-34212

EUVD