VYPR
Moderate severityNVD Advisory· Published Aug 18, 2023· Updated Feb 13, 2025

Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs

CVE-2023-40037

Description

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.nifi:nifi-dbcp-baseMaven
>= 1.21.0, < 1.23.11.23.1
org.apache.nifi:nifi-jms-processorsMaven
>= 1.21.0, < 1.23.11.23.1
org.apache.nifi:nifi-dbcp-service-apiMaven
>= 1.21.0, < 1.23.11.23.1
org.apache.nifi:nifi-dbcp-service-bundleMaven
>= 1.21.0, < 1.23.11.23.1

Affected products

6

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.