CVE-2023-40037
Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
Apache NiFi 1.21.0 hasta 1.23.0 soportan accesos JDBC y JNDI JMS en varios procesadores y servicios de controlador con validación de URL de conexión que no proporciona suficiente protección contra entradas manipuladas. Un usuario autenticado y autorizado puede eludir la validación de URL de conexión utilizando un formato de entrada personalizado. La resolución mejora la validación de la URL de conexión e introduce la validación de propiedades relacionadas adicionales. Se recomienda actualizar a Apache NiFi 1.23.1.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-08-08 CVE Reserved
- 2023-08-18 CVE Published
- 2023-11-23 First Exploit
- 2024-09-19 EPSS Updated
- 2024-09-27 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-184: Incomplete List of Disallowed Inputs
- CWE-697: Incorrect Comparison
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2023/08/18/2 | Mailing List |
URL | Date | SRC |
---|---|---|
https://github.com/mbadanoiu/CVE-2023-40037 | 2023-11-23 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q | 2023-08-23 | |
https://nifi.apache.org/security.html#CVE-2023-40037 | 2023-08-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Nifi Search vendor "Apache" for product "Nifi" | >= 1.21.0 < 1.23.1 Search vendor "Apache" for product "Nifi" and version " >= 1.21.0 < 1.23.1" | - |
Affected
|