Home > Vulnerability Database > CVE-2023-34468

Mend.io Vulnerability Database

CVE-2023-34468

Good to know:

Date: June 12, 2023

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Language: Java

Severity Score

5.5

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-34468

Url: https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

Url: https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

Url: https://nifi.apache.org/security.html#CVE-2023-34468

Url: http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

Url: http://www.openwall.com/lists/oss-security/2023/06/12/3

Url: https://www.mend.io/vulnerability-database/CVE-2023-34468

Severity Score

5.5

Weakness Type (CWE)

Code Injection

CWE-94

Top Fix

Upgrade Version

Upgrade to version org.apache.nifi:nifi-dbcp-service:1.22.0, org.apache.nifi:nifi-hikari-dbcp-service:1.22.0

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-34468

Good to know:

Date: June 12, 2023

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?