OpenCVE

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apache	Nifi

Configuration 1 [-]

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/06/12/2
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5
https://nifi.apache.org/security.html#CVE-2023-34212

History

Wed, 09 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-06-12T15:14:06.990Z

Updated: 2024-10-09T13:39:18.394Z

Reserved: 2023-05-30T16:13:48.779Z

Link: CVE-2023-34212

Vulnrichment

Updated: 2024-08-02T16:01:54.310Z

NVD

Status : Modified

Published: 2023-06-12T16:15:10.043

Modified: 2024-11-21T08:06:46.740

Link: CVE-2023-34212

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34212", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-05-30T16:13:48.779Z", "datePublished": "2023-06-12T15:14:06.990Z", "dateUpdated": "2024-10-09T13:39:18.394Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.21.0", "status": "affected", "version": "1.8.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Veraxy00 of Qianxin TI Center"}, {"lang": "en", "type": "reporter", "value": "Matei \"Mal\" Badanoiu"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.</div><div>The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.</div><div>You are recommended to upgrade to version 1.22.0 or later which fixes this issue.<br></div>"}], "value": "The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-12T15:14:06.990Z"}, "references": [{"tags": ["release-notes"], "url": "https://nifi.apache.org/security.html#CVE-2023-34212"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5"}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/12/2"}], "source": {"defect": ["NIFI-11614"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-05-28T08:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2023-05-29T06:00:00.000Z", "value": "confirmed"}, {"lang": "en", "time": "2023-06-01T00:00:00.000Z", "value": "resolved"}], "title": "Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:54.310Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://nifi.apache.org/security.html#CVE-2023-34212"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5"}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/12/2", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-09T13:37:27.959635Z", "id": "CVE-2023-34212", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T13:39:18.394Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://nifi.apache.org/security.html#CVE-2023-34212", "tags": ["release-notes", "x_transferred"]}, {"url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/12/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:54.310Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34212", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-09T13:37:27.959635Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T13:37:34.451Z"}}], "cna": {"title": "Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components", "source": {"defect": ["NIFI-11614"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Veraxy00 of Qianxin TI Center"}, {"lang": "en", "type": "reporter", "value": "Matei \"Mal\" Badanoiu"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache NiFi", "versions": [{"status": "affected", "version": "1.8.0", "versionType": "semver", "lessThanOrEqual": "1.21.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-05-28T08:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2023-05-29T06:00:00.000Z", "value": "confirmed"}, {"lang": "en", "time": "2023-06-01T00:00:00.000Z", "value": "resolved"}], "references": [{"url": "https://nifi.apache.org/security.html#CVE-2023-34212", "tags": ["release-notes"]}, {"url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/12/2"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.</div><div>The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.</div><div>You are recommended to upgrade to version 1.22.0 or later which fixes this issue.<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-12T15:14:06.990Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34212", "state": "PUBLISHED", "dateUpdated": "2024-10-09T13:39:18.394Z", "dateReserved": "2023-05-30T16:13:48.779Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-06-12T15:14:06.990Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "matchCriteriaId": "7999A951-01F9-4056-B544-250A3F215FE7", "versionEndIncluding": "1.21.0", "versionStartIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n"}], "id": "CVE-2023-34212", "lastModified": "2024-11-21T08:06:46.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-12T16:15:10.043", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/06/12/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5"}, {"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://nifi.apache.org/security.html#CVE-2023-34212"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/06/12/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://nifi.apache.org/security.html#CVE-2023-34212"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}