GHSA-r969-8v3h-23v9

Suggest an improvement
Source
https://github.com/advisories/GHSA-r969-8v3h-23v9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-r969-8v3h-23v9/GHSA-r969-8v3h-23v9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r969-8v3h-23v9
Aliases
Published
2023-07-29T09:30:15Z
Modified
2024-10-03T18:23:06.658585Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache NiFi Code Injection vulnerability
Details

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

Database specific 
{
    "nvd_published_at": "2023-07-29T08:15:48Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:03:10Z"
}
References

Affected packages

Maven / org.apache.nifi:nifi-cdc-mysql-bundle

Package

Name
org.apache.nifi:nifi-cdc-mysql-bundle
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-cdc-mysql-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

1.*

1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-jms-processors

Package

Name
org.apache.nifi:nifi-jms-processors
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-jms-processors

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

0.*

0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4

1.*

1.0.0-BETA
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-standard-processors

Package

Name
org.apache.nifi:nifi-standard-processors
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-standard-processors

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

0.*

0.0.2-incubating
0.1.0-incubating
0.2.0-incubating
0.2.1
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4

1.*

1.0.0-BETA
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-dbcp-service

Package

Name
org.apache.nifi:nifi-dbcp-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-dbcp-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

0.*

0.2.0-incubating
0.2.1
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4

1.*

1.0.0-BETA
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-hikari-dbcp-service

Package

Name
org.apache.nifi:nifi-hikari-dbcp-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

1.*

1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-hadoop-dbcp-service

Package

Name
org.apache.nifi:nifi-hadoop-dbcp-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-hadoop-dbcp-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

1.*

1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-hbase_2-client-service

Package

Name
org.apache.nifi:nifi-hbase_2-client-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-hbase_2-client-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

1.*

1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0

Maven / org.apache.nifi:nifi-record-serialization-services

Package

Name
org.apache.nifi:nifi-record-serialization-services
View open source insights on deps.dev
Purl
pkg:maven/org.apache.nifi/nifi-record-serialization-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.0.2
Fixed
1.23.0

Affected versions

1.*

1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.22.0