Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOTY5LTh2M2gtMjN2Oc4AA080
Apache NiFi Code Injection vulnerability
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.
Permalink: https://github.com/advisories/GHSA-r969-8v3h-23v9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOTY5LTh2M2gtMjN2Oc4AA080
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r969-8v3h-23v9, CVE-2023-36542
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36542
- https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof
- https://nifi.apache.org/security.html#CVE-2023-36542
- https://github.com/apache/nifi/commit/532578799c
- https://issues.apache.org/jira/browse/NIFI-11744
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/29/1
- https://github.com/advisories/GHSA-r969-8v3h-23v9
Blast Radius: 17.4
Affected Packages
maven:org.apache.nifi:nifi-record-serialization-services
Dependent packages: 32Dependent repositories: 92
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0
maven:org.apache.nifi:nifi-hbase_2-client-service
Dependent packages: 1Dependent repositories: 54
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0
maven:org.apache.nifi:nifi-hadoop-dbcp-service
Dependent packages: 1Dependent repositories: 47
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0
maven:org.apache.nifi:nifi-hikari-dbcp-service
Dependent packages: 1Dependent repositories: 36
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0
maven:org.apache.nifi:nifi-dbcp-service
Dependent packages: 6Dependent repositories: 70
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0, 1.26.0
maven:org.apache.nifi:nifi-standard-processors
Dependent packages: 9Dependent repositories: 95
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0, 1.26.0
maven:org.apache.nifi:nifi-jms-processors
Dependent packages: 1Dependent repositories: 66
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0
maven:org.apache.nifi:nifi-cdc-mysql-bundle
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 0.0.2, < 1.23.0
Fixed in: 1.23.0
All affected versions: 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0
All unaffected versions: 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.25.0