Apache NiFi 1.8.01.21.0 JNDI URL deserialization vulnerability
CVE-2023-34212 Published on June 12, 2023
Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.
The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Timeline
reported
confirmed 1 day later.
resolved 3 days later.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2023-34212 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2023-34212
Want to know whenever a new CVE is published for Apache NiFi? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache NiFi:- Version 1.8.0, <= 1.21.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.