CVE: Common Vulnerabilities and Exposures

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

Expand or collapse notification button

Required CVE Record Information

Description

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

CWE 1 Total

CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Product Status

Versions 1 Total

Default Status: unaffected

affected

Credits

nbxiglk finder

References 4 Total

Updated: 2024-08-02

This container includes required additional information provided by the CVE Program for this vulnerability.

References 4 Total

https://nifi.apache.org/security.html#CVE-2023-36542
external site
release-notesx_transferred
https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof
external site
vendor-advisoryx_transferred
http://seclists.org/fulldisclosure/2023/Jul/43
external site
x_transferred
http://www.openwall.com/lists/oss-security/2023/07/29/1
external site
x_transferred

Authorized Data Publishers