Home > Vulnerability Database > CVE-2023-40037

Mend.io Vulnerability Database

CVE-2023-40037

Good to know:

Date: August 18, 2023

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

Language: Java

Severity Score

6.5

Related Resources (5)

Url: https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40037

Url: https://nifi.apache.org/security.html#CVE-2023-40037

Url: http://www.openwall.com/lists/oss-security/2023/08/18/2

Url: https://www.mend.io/vulnerability-database/CVE-2023-40037

Severity Score

6.5

Weakness Type (CWE)

Incomplete Blacklist

CWE-184

Incorrect Comparison

CWE-697

Top Fix

Upgrade Version

Upgrade to version org.apache.nifi:nifi-dbcp-base:1.23.1, org.apache.nifi:nifi-jms-processors:1.23.1, org.apache.nifi:nifi-dbcp-service-api1.23.1, org.apache.nifi:nifi-hikari-dbcp-service:1.23.1

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40037

Good to know:

Date: August 18, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?