Description

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Remediation

References

https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5

https://nifi.apache.org/security.html#CVE-2023-34212

http://www.openwall.com/lists/oss-security/2023/06/12/2

Related Vulnerabilities

CVE-2021-36374 Vulnerability in maven package org.apache.ant:ant

CVE-2017-5645 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8

CVE-2020-36732 Vulnerability in maven package org.webjars.bower:crypto-js

CVE-2022-36888 Vulnerability in maven package com.datapipe.jenkins.plugins:hashicorp-vault-plugin

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory Release Notes Third Party Advisory