Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-34212

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Published

2023-06-12T16:15:10.043

Last Modified

2025-02-13T17:16:35.113

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-502
Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	nifi	≤ 1.21.0	Yes

References

http://www.openwall.com/lists/oss-security/2023/06/12/2 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 Mailing List, Vendor Advisory ([email protected])
https://nifi.apache.org/security.html#CVE-2023-34212 Release Notes, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2023/06/12/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://nifi.apache.org/security.html#CVE-2023-34212 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)