// For flags

CVE-2023-40037

Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

Apache NiFi 1.21.0 hasta 1.23.0 soportan accesos JDBC y JNDI JMS en varios procesadores y servicios de controlador con validación de URL de conexión que no proporciona suficiente protección contra entradas manipuladas. Un usuario autenticado y autorizado puede eludir la validación de URL de conexión utilizando un formato de entrada personalizado. La resolución mejora la validación de la URL de conexión e introduce la validación de propiedades relacionadas adicionales. Se recomienda actualizar a Apache NiFi 1.23.1.

*Credits: Matei "Mal" Badanoiu
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-08-08 CVE Reserved
  • 2023-08-18 CVE Published
  • 2023-11-23 First Exploit
  • 2024-09-19 EPSS Updated
  • 2024-09-27 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-184: Incomplete List of Disallowed Inputs
  • CWE-697: Incorrect Comparison
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Nifi
Search vendor "Apache" for product "Nifi"
>= 1.21.0 < 1.23.1
Search vendor "Apache" for product "Nifi" and version " >= 1.21.0 < 1.23.1"
-
Affected