Description
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Apache Software Foundation / Apache NiFi0.0.2 – 1.21.0
References
- MISChttps://nifi.apache.org/security.html#CVE-2023-34468
- MAILING_LISThttps://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2023/06/12/3
- EXPLOIThttp://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
- MISChttps://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/