Vulnerability description
Apache NiFi is an open source data stream processing and automation tool.
Versions prior to Apache NiFi 1.23.0 include Processors and Controller Services that use HTTP URLs for remote resource retrieval, but ordinary users are not restricted from configuring this feature. An authenticated attacker can configure malicious external resource references, triggering remote code execution when a component loads malicious configuration files or additional libraries controlled by the attacker.
Vulnerability name | Command Injection Vulnerability in Apache NiFi Remote Resource Retrieval |
---|---|
Vulnerability type | code injection |
Discovery time | 2023-07-29 |
Vulnerability Breadth | Small |
MPS number | MPS-h7gi-f1vl |
CVE number | CVE-2023-36542 |
CNVD number | - |
Sphere of influence
org.apache.nifi:nifi-api@[0.0.1-incubating, 1.23.0);
org.apache.nifi:nifi-nar-bundles@[0.0.1-incubating, 1.23.0);
Repair plan
Upgrade org.apache.nifi:nifi-api to 1.23.0 or later
The official patch has been released: NIFI-11744 Added Required Permission to Reference Remote Resources · apache/nifi@cbee9f0 · GitHub
Upgrade org.apache.nifi:nifi-nar-bundles to version 1.23.0 or higher
reference link
[NIFI-11744] Add Required Permission for Referencing Remote Resources - ASF JIRA
NIFI-11744 Added Required Permission to Reference Remote Resources · apache/nifi@cbee9f0 · GitHub
Free intelligence subscription & code security detection
OSCS is the first open source software supply chain security community in China. The community cooperates with developers to help the world's top open source projects solve security problems, and provides real-time security vulnerability intelligence, as well as professional code security detection tools for developers to use for free. Community developers can obtain first-hand intelligence by configuring Feishu, DingTalk, and WeChat bots.
Free code security detection tool: Murphy Security | Provide you with professional software supply chain security management
Free intelligence subscription: OSCS | Open source software supply chain security community | Make every open source project more secure
For details on how to subscribe, see: Introduction | OSCS