Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs
CVE-2023-40037

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 18 August 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

Affected Version(s)

Apache NiFi 1.21.0 <= 1.23.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-40037
Created by mbadanoiu

References

https://nifi.apache.org/security.html#CVE-2023-40037

release-notes

https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xp...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/08/18/2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 23, 2023
👾
Exploit known to exist
Nov 23, 2023
Vulnerability published
Aug 18, 2023
Vulnerability Reserved
Aug 8, 2023

Credit

Matei "Mal" Badanoiu