Vulnerability Details : CVE-2023-34212
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.
The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Products affected by CVE-2023-34212
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34212
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34212
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2023-34212
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2023-34212
-
http://www.openwall.com/lists/oss-security/2023/06/12/2
oss-security - CVE-2023-34212: Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS ComponentsMailing List;Third Party Advisory
-
https://nifi.apache.org/security.html#CVE-2023-34212
Apache NiFi Security ReportsRelease Notes;Vendor Advisory
-
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5
CVE-2023-34212: Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to