[High Risk] Command Injection Vulnerability in Apache NiFi Remote Resource Retrieval Function - Code World

[High Risk] Command Injection Vulnerability in Apache NiFi Remote Resource Retrieval Function

News 2023-08-06 20:33:30 views: null

Vulnerability description

Apache NiFi is an open source data stream processing and automation tool.

Versions prior to Apache NiFi 1.23.0 include Processors and Controller Services that use HTTP URLs for remote resource retrieval, but ordinary users are not restricted from configuring this feature. An authenticated attacker can configure malicious external resource references, triggering remote code execution when a component loads malicious configuration files or additional libraries controlled by the attacker.

Vulnerability name	Command Injection Vulnerability in Apache NiFi Remote Resource Retrieval
Vulnerability type	code injection
Discovery time	2023-07-29
Vulnerability Breadth	Small
MPS number	MPS-h7gi-f1vl
CVE number	CVE-2023-36542
CNVD number	-

Sphere of influence

org.apache.nifi:nifi-api@[0.0.1-incubating, 1.23.0);

org.apache.nifi:nifi-nar-bundles@[0.0.1-incubating, 1.23.0);

Repair plan

Upgrade org.apache.nifi:nifi-api to 1.23.0 or later

The official patch has been released: NIFI-11744 Added Required Permission to Reference Remote Resources · apache/nifi@cbee9f0 · GitHub

Upgrade org.apache.nifi:nifi-nar-bundles to version 1.23.0 or higher

reference link

OSCS | Open source software supply chain security community | Make every open source project more secure

NVD - CVE-2023-36542

[NIFI-11744] Add Required Permission for Referencing Remote Resources - ASF JIRA

NIFI-11744 Added Required Permission to Reference Remote Resources · apache/nifi@cbee9f0 · GitHub

Free intelligence subscription & code security detection

OSCS is the first open source software supply chain security community in China. The community cooperates with developers to help the world's top open source projects solve security problems, and provides real-time security vulnerability intelligence, as well as professional code security detection tools for developers to use for free. Community developers can obtain first-hand intelligence by configuring Feishu, DingTalk, and WeChat bots.

Free code security detection tool: Murphy Security | Provide you with professional software supply chain security management

Free intelligence subscription: OSCS | Open source software supply chain security community | Make every open source project more secure

For details on how to subscribe, see: Introduction | OSCS

Guess you like

Origin blog.csdn.net/murphysec/article/details/132101258

[High Risk] Command Injection Vulnerability in Apache NiFi Remote Resource Retrieval Function

[High Risk] Code Injection Vulnerability in Apache NiFi H2 Driver

[High Risk] Apache Nifi JMS component has JNDI deserialization vulnerability

[High risk] Apache Cassandra has an unauthorized vulnerability that leads to remote command execution

WordPress plugin Mailpress high-risk remote command execution vulnerability

Apache Continuum high-risk 0Day command execution vulnerability

Zabbix high-risk SQL injection vulnerability and repair plan

[High Risk] Atlassian Confluence Remote Code Execution Vulnerability

[High Risk] Office and Windows HTML Remote Code Execution Vulnerability

【High Risk】Microsoft Exchange Server Remote Code Execution Vulnerability

[High Risk] Microsoft Teams Remote Code Execution Vulnerability

[High Risk] Microsoft Office Visio Remote Code Execution Vulnerability

[Vulnerability notice] JeecgBoot fixes Freemarker template injection vulnerability, vulnerability hazard level: high risk

[Medium Risk] Apache Airflow ODBC Provider Remote Code Execution Vulnerability

Apache SSI Remote Command Execution Vulnerability

[Vulnerability notice] Apache Shiro exploded authentication bypass vulnerability CVE-2023-34478, vulnerability level: high risk

Apache Spark UI Command Injection Vulnerability (CVE-2022-33891)

Command injection vulnerability

Command injection vulnerability (1)

Command injection vulnerability (2)

Command injection vulnerability in DVWA

ThinkPHP5 remote code execution vulnerability in high-risk (attached: upgrade remediation solution)

Struts2 high-risk remote code execution (S2-037) vulnerability and its repair

[High Risk] Nuxt.js <3.4.3 Remote Code Execution Vulnerability (POC Public)

[Vulnerability recurrence] Apache RocketMQ Command Injection Vulnerability (CVE-2023-33246)

[High Risk] Apache Airflow Spark Provider Arbitrary File Read Vulnerability (CVE-2023-40272)

ImageMagick once again broke the high-risk 0Day command execution vulnerability

Apache Solr remote command execution vulnerability CVE-2019-0193 vulnerability recurrence

Apache NiFi remote code execution-RCE

Apache RocketMQ command injection

Recommended

The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!

Ranking

Getting the basic concepts of ROS + catkin Profile

Spring Learning (2) --- Assembling Beans in the IoC Container

js to get the src attribute of the image regularly

STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud

Short video learning - 3, pandas simple use of pivot_table

Print directory of project configuration log, output log

Understand the difference between vi and vim in Linux in 3 minutes

1 + x certificate Web front-end development HTML5 special exercises

mangodb save and insert the difference

7-1 Family tree processing (50 points) (binary tree solution)

Daily

More

2024-05-13(8)

2024-05-12(28)

2024-05-11(32)

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)