Lucene search
ApacheCVELIST:CVE-2023-34212HistoryJun 12, 2023 - 3:14 p.m.
CVE-2023-34212 Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components
2023-06-1215:14:06
CWE-502
apache
www.cve.org
apache nifi
cve-2023-34212
deserialization
vulnerability
jndi
jms
components
authentication
0.002 Low
EPSS
Percentile
52.8%
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.
The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Apache NiFi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.21.0",
"status": "affected",
"version": "1.8.0",
"versionType": "semver"
}
]
}
]Related
prion
prion
Deserialization of untrusted data
2023-06-12 16:15:00
osv
osv
Apache NiFi vulnerable to Deserialization of Untrusted Data
2023-06-12 18:30:18
CVE-2023-34212
2023-06-12 16:15:10
cve
cve
CVE-2023-34212
2023-06-12 16:15:10
veracode
veracode
Deserialization Of Untrusted Data
2023-06-15 02:15:49
nvd
nvd
CVE-2023-34212
2023-06-12 16:15:10
github
github
Apache NiFi vulnerable to Deserialization of Untrusted Data
2023-06-12 18:30:18