[High Risk] Code Injection Vulnerability in Apache NiFi H2 Driver

News 2023-07-12 00:42:15 views: null

 Vulnerability description 

Apache NiFi is an open source data flow processing and automation tool. DBCPConnectionPool and HikariCPConnectionPool are two controller services used to provide connection pool management functions for databases.

Affected versions of Apache NiFi, since the DBCPConnectionPool and HikariCPConnectionPool controller services do not validate the URL string of the user-configured H2 driver, an authenticated attacker can construct an H2 JDBC URL containing a malicious payload to execute a malicious code.

Developers are recommended to upgrade to NiFi 1.22.0 version, which disables H2 JDBC URL in default configuration to fix this vulnerability.

Vulnerability name Code Injection Vulnerability in Apache NiFi H2 Driver
Vulnerability type code injection
Discovery time 2023/6/13
Vulnerability Breadth generally
MPS number MPS-v4am-pz0t
CVE number CVE-2023-34468
CNVD number -


Sphere of influence

org.apache.nifi:nifi@[0.0.2, 1.22.0);

Repair plan

Upgrade org.apache.nifi:nifi to version 1.22.0 and above

The official has released a patch to disable the H2 JDBC URL: https://github.com/apache/nifi/commit/6e064a8bdef1cd4f91ea8f42ee16a3675d2f9a9d

reference link

https://www.oscs1024.com/hd/MPS-v4am-pz0t

https://nvd.nist.gov/vuln/detail/CVE-2023-34468

https://issues.apache.org/jira/browse/NIFI-11653

https://github.com/apache/nifi/commit/6e064a8bdef1cd4f91ea8f42ee16a3675d2f9a9d

About Murphy Security 

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.

Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free code security detection tool:  https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj


Guess you like

Origin blog.csdn.net/murphysec/article/details/131292768
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com