CVE-2023-34468 – Apache NiFi: Potential Code Injection with Database Services using H2
https://notcve.org/view.php?id=CVE-2023-34468
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. • https://github.com/mbadanoiu/CVE-2023-34468 http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html http://www.openwall.com/lists/oss-security/2023/06/12/3 https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 https://nifi.apache.org/security.html#CVE-2023-34468 https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation https://issues.apache.org/jira/browse/NIFI-11653 https://nifi.apache.org/secu • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-22832 – Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes
https://notcve.org/view.php?id=CVE-2023-22832
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. • https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w https://nifi.apache.org/security.html#CVE-2023-22832 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2022-33140 – Improper Neutralization of Command Elements in Shell User Group Provider
https://notcve.org/view.php?id=CVE-2022-33140
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. • https://lists.apache.org/thread/bzs2pcdjsdrh5039oslmfr9mbs9qqdhr https://nifi.apache.org/security.html#CVE-2022-33140 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-29265 – Improper Restriction of XML External Entity References in Multiple Components
https://notcve.org/view.php?id=CVE-2022-29265
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. Varios componentes de Apache NiFi versiones 0.0.1 a 1.16.0, no restringen las referencias de tipo XML External Entity en la configuración por defecto. • https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl https://nifi.apache.org/security.html#CVE-2022-29265 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2022-26850 – Insufficiently protected credentials
https://notcve.org/view.php?id=CVE-2022-26850
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory. Cuando son creadas o actualizadas las credenciales para el acceso de un solo usuario, Apache NiFi escribe una copia de la configuración de los proveedores de identidad de inicio de sesión en el directorio temporal del sistema operativo. • http://www.openwall.com/lists/oss-security/2022/04/06/2 https://nifi.apache.org/security.html#CVE-2022-26850 • CWE-668: Exposure of Resource to Wrong Sphere •