Moderate severityNVD Advisory· Published Aug 18, 2023· Updated Feb 13, 2025
Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs
CVE-2023-40037
Description
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-dbcp-baseMaven | >= 1.21.0, < 1.23.1 | 1.23.1 |
org.apache.nifi:nifi-jms-processorsMaven | >= 1.21.0, < 1.23.1 | 1.23.1 |
org.apache.nifi:nifi-dbcp-service-apiMaven | >= 1.21.0, < 1.23.1 | 1.23.1 |
org.apache.nifi:nifi-dbcp-service-bundleMaven | >= 1.21.0, < 1.23.1 | 1.23.1 |
Affected products
6- osv-coords5 versionspkg:bitnami/nifipkg:maven/org.apache.nifi/nifi-dbcp-basepkg:maven/org.apache.nifi/nifi-dbcp-service-apipkg:maven/org.apache.nifi/nifi-dbcp-service-bundlepkg:maven/org.apache.nifi/nifi-jms-processors
>= 1.21.0, < 1.23.1+ 4 more
- (no CPE)range: >= 1.21.0, < 1.23.1
- (no CPE)range: >= 1.21.0, < 1.23.1
- (no CPE)range: >= 1.21.0, < 1.23.1
- (no CPE)range: >= 1.21.0, < 1.23.1
- (no CPE)range: >= 1.21.0, < 1.23.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-23qf-3jf9-h3q9ghsaADVISORY
- lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687qghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-40037ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/08/18/2ghsaWEB
- github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bfghsaWEB
- github.com/apache/nifi/pull/7586ghsaWEB
- issues.apache.org/jira/browse/NIFI-11920ghsaWEB
- nifi.apache.org/security.htmlghsarelease-notesWEB
News mentions
0No linked articles in our index yet.