Vulnerability Description
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Nifi | >= 1.8.0, <= 1.21.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/06/12/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5Mailing ListVendor Advisory
- https://nifi.apache.org/security.html#CVE-2023-34212Release NotesVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/06/12/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5Mailing ListVendor Advisory
- https://nifi.apache.org/security.html#CVE-2023-34212Release NotesVendor Advisory
FAQ
What is CVE-2023-34212?
CVE-2023-34212 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configur...
How severe is CVE-2023-34212?
CVE-2023-34212 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34212?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Nifi.