Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.nifi/nifi@1.22.0
Typemaven
Namespaceorg.apache.nifi
Namenifi
Version1.22.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.24.0
Latest_non_vulnerable_version1.24.0
Affected_by_vulnerabilities
0
url VCID-hy35-v2p5-2ycq
vulnerability_id VCID-hy35-v2p5-2ycq
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary
JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-49145
reference_id
reference_type
scores
0
value 0.00293
scoring_system epss
scoring_elements 0.52552
published_at 2026-04-02T12:55:00Z
1
value 0.00293
scoring_system epss
scoring_elements 0.52641
published_at 2026-04-21T12:55:00Z
2
value 0.00293
scoring_system epss
scoring_elements 0.52656
published_at 2026-04-18T12:55:00Z
3
value 0.00293
scoring_system epss
scoring_elements 0.52649
published_at 2026-04-16T12:55:00Z
4
value 0.00293
scoring_system epss
scoring_elements 0.5261
published_at 2026-04-13T12:55:00Z
5
value 0.00293
scoring_system epss
scoring_elements 0.52625
published_at 2026-04-12T12:55:00Z
6
value 0.00293
scoring_system epss
scoring_elements 0.52642
published_at 2026-04-11T12:55:00Z
7
value 0.00293
scoring_system epss
scoring_elements 0.52545
published_at 2026-04-07T12:55:00Z
8
value 0.00293
scoring_system epss
scoring_elements 0.52578
published_at 2026-04-04T12:55:00Z
9
value 0.00293
scoring_system epss
scoring_elements 0.52591
published_at 2026-04-09T12:55:00Z
10
value 0.00293
scoring_system epss
scoring_elements 0.52597
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-49145
1
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi
2
reference_url https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857f
3
reference_url https://github.com/apache/nifi/pull/8060
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/pull/8060
4
reference_url https://issues.apache.org/jira/browse/NIFI-12403
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/NIFI-12403
5
reference_url https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1o
6
reference_url https://nifi.apache.org/security.html#CVE-2023-49145
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nifi.apache.org/security.html#CVE-2023-49145
7
reference_url http://www.openwall.com/lists/oss-security/2023/11/27/5
reference_id
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2023/11/27/5
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49145
reference_id CVE-2023-49145
reference_type
scores
0
value 7.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-49145
9
reference_url https://github.com/advisories/GHSA-68pr-6fjc-wmgm
reference_id GHSA-68pr-6fjc-wmgm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68pr-6fjc-wmgm
fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.24.0
purl pkg:maven/org.apache.nifi/nifi@1.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.24.0
aliases CVE-2023-49145, GHSA-68pr-6fjc-wmgm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hy35-v2p5-2ycq
1
url VCID-rv8f-q4a4-xqbk
vulnerability_id VCID-rv8f-q4a4-xqbk
summary 
Apache NiFi Code Injection vulnerability
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36542
reference_id
reference_type
scores
0
value 0.0096
scoring_system epss
scoring_elements 0.76419
published_at 2026-04-02T12:55:00Z
1
value 0.0096
scoring_system epss
scoring_elements 0.76515
published_at 2026-04-16T12:55:00Z
2
value 0.0096
scoring_system epss
scoring_elements 0.76479
published_at 2026-04-12T12:55:00Z
3
value 0.0096
scoring_system epss
scoring_elements 0.76501
published_at 2026-04-11T12:55:00Z
4
value 0.0096
scoring_system epss
scoring_elements 0.76475
published_at 2026-04-13T12:55:00Z
5
value 0.0096
scoring_system epss
scoring_elements 0.76461
published_at 2026-04-08T12:55:00Z
6
value 0.0096
scoring_system epss
scoring_elements 0.76429
published_at 2026-04-07T12:55:00Z
7
value 0.0096
scoring_system epss
scoring_elements 0.76448
published_at 2026-04-04T12:55:00Z
8
value 0.0096
scoring_system epss
scoring_elements 0.76507
published_at 2026-04-21T12:55:00Z
9
value 0.0096
scoring_system epss
scoring_elements 0.76519
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36542
1
reference_url http://seclists.org/fulldisclosure/2023/Jul/43
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/
url http://seclists.org/fulldisclosure/2023/Jul/43
2
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi
3
reference_url https://github.com/apache/nifi/commit/532578799c
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/commit/532578799c
4
reference_url https://issues.apache.org/jira/browse/NIFI-11744
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/NIFI-11744
5
reference_url https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/
url https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof
6
reference_url https://nifi.apache.org/security.html#CVE-2023-36542
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/
url https://nifi.apache.org/security.html#CVE-2023-36542
7
reference_url http://www.openwall.com/lists/oss-security/2023/07/29/1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/
url http://www.openwall.com/lists/oss-security/2023/07/29/1
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36542
reference_id CVE-2023-36542
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36542
9
reference_url https://github.com/advisories/GHSA-r969-8v3h-23v9
reference_id GHSA-r969-8v3h-23v9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r969-8v3h-23v9
fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.23.0
purl pkg:maven/org.apache.nifi/nifi@1.23.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hy35-v2p5-2ycq
1
vulnerability VCID-ues1-6z47-q7hc
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.23.0
aliases CVE-2023-36542, GHSA-r969-8v3h-23v9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rv8f-q4a4-xqbk
2
url VCID-ues1-6z47-q7hc
vulnerability_id VCID-ues1-6z47-q7hc
summary 
Incorrect Comparison
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40037
reference_id
reference_type
scores
0
value 0.01261
scoring_system epss
scoring_elements 0.79378
published_at 2026-04-02T12:55:00Z
1
value 0.01261
scoring_system epss
scoring_elements 0.79452
published_at 2026-04-21T12:55:00Z
2
value 0.01261
scoring_system epss
scoring_elements 0.79449
published_at 2026-04-18T12:55:00Z
3
value 0.01261
scoring_system epss
scoring_elements 0.79451
published_at 2026-04-16T12:55:00Z
4
value 0.01261
scoring_system epss
scoring_elements 0.7942
published_at 2026-04-13T12:55:00Z
5
value 0.01261
scoring_system epss
scoring_elements 0.79431
published_at 2026-04-12T12:55:00Z
6
value 0.01261
scoring_system epss
scoring_elements 0.79447
published_at 2026-04-11T12:55:00Z
7
value 0.01261
scoring_system epss
scoring_elements 0.79388
published_at 2026-04-07T12:55:00Z
8
value 0.01261
scoring_system epss
scoring_elements 0.794
published_at 2026-04-04T12:55:00Z
9
value 0.01261
scoring_system epss
scoring_elements 0.79424
published_at 2026-04-09T12:55:00Z
10
value 0.01261
scoring_system epss
scoring_elements 0.79415
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40037
1
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi
2
reference_url https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf
3
reference_url https://github.com/apache/nifi/pull/7586
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/pull/7586
4
reference_url https://issues.apache.org/jira/browse/NIFI-11920
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/NIFI-11920
5
reference_url https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T20:06:15Z/
url https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q
6
reference_url https://nifi.apache.org/security.html#CVE-2023-40037
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T20:06:15Z/
url https://nifi.apache.org/security.html#CVE-2023-40037
7
reference_url http://www.openwall.com/lists/oss-security/2023/08/18/2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T20:06:15Z/
url http://www.openwall.com/lists/oss-security/2023/08/18/2
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40037
reference_id CVE-2023-40037
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40037
9
reference_url https://github.com/advisories/GHSA-23qf-3jf9-h3q9
reference_id GHSA-23qf-3jf9-h3q9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-23qf-3jf9-h3q9
fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.23.1
purl pkg:maven/org.apache.nifi/nifi@1.23.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hy35-v2p5-2ycq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.23.1
aliases CVE-2023-40037, GHSA-23qf-3jf9-h3q9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ues1-6z47-q7hc
Fixing_vulnerabilities
0
url VCID-3eka-p4cs-f3dz
vulnerability_id VCID-3eka-p4cs-f3dz
summary 
Apache NiFi vulnerable to Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
references
0
reference_url http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/
url http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34468
reference_id
reference_type
scores
0
value 0.77205
scoring_system epss
scoring_elements 0.98975
published_at 2026-04-21T12:55:00Z
1
value 0.77205
scoring_system epss
scoring_elements 0.98965
published_at 2026-04-02T12:55:00Z
2
value 0.77205
scoring_system epss
scoring_elements 0.98967
published_at 2026-04-04T12:55:00Z
3
value 0.77205
scoring_system epss
scoring_elements 0.98969
published_at 2026-04-07T12:55:00Z
4
value 0.77205
scoring_system epss
scoring_elements 0.98971
published_at 2026-04-09T12:55:00Z
5
value 0.77205
scoring_system epss
scoring_elements 0.98972
published_at 2026-04-12T12:55:00Z
6
value 0.77205
scoring_system epss
scoring_elements 0.98973
published_at 2026-04-13T12:55:00Z
7
value 0.77205
scoring_system epss
scoring_elements 0.98974
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34468
2
reference_url https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
3
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi
4
reference_url https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
5
reference_url https://github.com/apache/nifi/pull/7349
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/pull/7349
6
reference_url https://issues.apache.org/jira/browse/NIFI-11653
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/NIFI-11653
7
reference_url https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/
url https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
8
reference_url https://nifi.apache.org/security.html#CVE-2023-34468
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/
url https://nifi.apache.org/security.html#CVE-2023-34468
9
reference_url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
10
reference_url http://www.openwall.com/lists/oss-security/2023/06/12/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/
url http://www.openwall.com/lists/oss-security/2023/06/12/3
11
reference_url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/
reference_id apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/
url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34468
reference_id CVE-2023-34468
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34468
13
reference_url https://github.com/advisories/GHSA-xm2m-2q6h-22jw
reference_id GHSA-xm2m-2q6h-22jw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xm2m-2q6h-22jw
fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.22.0
purl pkg:maven/org.apache.nifi/nifi@1.22.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hy35-v2p5-2ycq
1
vulnerability VCID-rv8f-q4a4-xqbk
2
vulnerability VCID-ues1-6z47-q7hc
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0
aliases CVE-2023-34468, GHSA-xm2m-2q6h-22jw
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3eka-p4cs-f3dz
1
url VCID-4uja-72yx-6qdc
vulnerability_id VCID-4uja-72yx-6qdc
summary 
Deserialization of Untrusted Data
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34212
reference_id
reference_type
scores
0
value 0.00779
scoring_system epss
scoring_elements 0.73667
published_at 2026-04-09T12:55:00Z
1
value 0.00779
scoring_system epss
scoring_elements 0.73654
published_at 2026-04-08T12:55:00Z
2
value 0.00779
scoring_system epss
scoring_elements 0.73716
published_at 2026-04-18T12:55:00Z
3
value 0.00779
scoring_system epss
scoring_elements 0.73707
published_at 2026-04-21T12:55:00Z
4
value 0.00779
scoring_system epss
scoring_elements 0.73663
published_at 2026-04-13T12:55:00Z
5
value 0.00779
scoring_system epss
scoring_elements 0.73672
published_at 2026-04-12T12:55:00Z
6
value 0.00779
scoring_system epss
scoring_elements 0.73689
published_at 2026-04-11T12:55:00Z
7
value 0.00909
scoring_system epss
scoring_elements 0.75748
published_at 2026-04-02T12:55:00Z
8
value 0.00909
scoring_system epss
scoring_elements 0.75759
published_at 2026-04-07T12:55:00Z
9
value 0.00909
scoring_system epss
scoring_elements 0.7578
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34212
1
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi
2
reference_url https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6
3
reference_url https://github.com/apache/nifi/pull/7313
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/nifi/pull/7313
4
reference_url https://issues.apache.org/jira/browse/NIFI-11614
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/NIFI-11614
5
reference_url https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T13:37:27Z/
url https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5
6
reference_url https://nifi.apache.org/security.html#CVE-2023-34212
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T13:37:27Z/
url https://nifi.apache.org/security.html#CVE-2023-34212
7
reference_url http://www.openwall.com/lists/oss-security/2023/06/12/2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-09T13:37:27Z/
url http://www.openwall.com/lists/oss-security/2023/06/12/2
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34212
reference_id CVE-2023-34212
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34212
9
reference_url https://github.com/advisories/GHSA-65wh-g8x8-gm2h
reference_id GHSA-65wh-g8x8-gm2h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-65wh-g8x8-gm2h
fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.22.0
purl pkg:maven/org.apache.nifi/nifi@1.22.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hy35-v2p5-2ycq
1
vulnerability VCID-rv8f-q4a4-xqbk
2
vulnerability VCID-ues1-6z47-q7hc
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0
aliases CVE-2023-34212, GHSA-65wh-g8x8-gm2h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4uja-72yx-6qdc
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0