Lucene search
ApacheCVELIST:CVE-2023-36542HistoryJul 29, 2023 - 7:12 a.m.
CVE-2023-36542 Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources
2023-07-2907:12:18
CWE-94
apache
www.cve.org
cve-2023-36542
apache nifi
code injection
remote resources
potential
configuration
privilege escalation
mitigation
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Apache NiFi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.22.0",
"status": "affected",
"version": "0.0.2",
"versionType": "semver"
}
]
}
]Related
osv
osv
CVE-2023-36542
2023-07-29 08:15:48
Apache NiFi Code Injection vulnerability
2023-07-29 09:30:15
prion
prion
Design/Logic Flaw
2023-07-29 08:15:00
veracode
veracode
Arbitrary Code Injection
2023-08-02 06:30:32
nvd
nvd
CVE-2023-36542
2023-07-29 08:15:48
cve
cve
CVE-2023-36542
2023-07-29 08:15:48
github
github
Apache NiFi Code Injection vulnerability
2023-07-29 09:30:15