CVE-2023-34212 – org.apache.nifi:nifi-jms-processors

Package

Manager: maven
Name: org.apache.nifi:nifi-jms-processors
Vulnerable Version: >=1.8.0 <1.22.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0111 pctl0.77315

Details

Apache NiFi vulnerable to Deserialization of Untrusted Data The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Metadata

Created: 2023-06-12T18:30:18Z
Modified: 2025-02-13T18:57:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-65wh-g8x8-gm2h/GHSA-65wh-g8x8-gm2h.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-65wh-g8x8-gm2h
Finding: F096
Auto approve: 1