CVE-2023-34212 — Apache NiFi vulnerable to Deserialization of Untrusted Data

Description

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

How to fix CVE-2023-34212

To remediate CVE-2023-34212, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.22.0 or later

Is CVE-2023-34212 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 1.8.0, <= 1.21.0
>= 1.8.0, < 1.22.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-34212
PATCHgithub.com/apache/nifi
WEBgithub.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6
WEBgithub.com/apache/nifi/pull/7313
WEB