Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

Type maven

Namespace org.apache.nifi

Name nifi-hikari-dbcp-service

Version 1.22.0

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 1.23.0

Latest_non_vulnerable_version 1.23.0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-uwnc-5qk4-eqgw

vulnerability_id VCID-uwnc-5qk4-eqgw

summary

Apache NiFi vulnerable to Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

references

reference_url	https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
reference_id
reference_type
scores
url	https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468

reference_url	https://github.com/apache/nifi
reference_id
reference_type
scores
url	https://github.com/apache/nifi

reference_url	https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
reference_id
reference_type
scores
url	https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361

reference_url	https://github.com/apache/nifi/pull/7349
reference_id
reference_type
scores
url	https://github.com/apache/nifi/pull/7349

reference_url	https://issues.apache.org/jira/browse/NIFI-11653
reference_id
reference_type
scores
url	https://issues.apache.org/jira/browse/NIFI-11653

reference_url	https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
reference_id
reference_type
scores
url	https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_url	https://nifi.apache.org/security.html#CVE-2023-34468
reference_id
reference_type
scores
url	https://nifi.apache.org/security.html#CVE-2023-34468

reference_url	https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
reference_id
reference_type
scores
url	https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_url	http://www.openwall.com/lists/oss-security/2023/06/12/3
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2023/06/12/3

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-34468
reference_id	CVE-2023-34468
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-34468

reference_url	https://github.com/advisories/GHSA-xm2m-2q6h-22jw
reference_id	GHSA-xm2m-2q6h-22jw
reference_type
scores
url	https://github.com/advisories/GHSA-xm2m-2q6h-22jw

fixed_packages

url	pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0
purl	pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

aliases CVE-2023-34468, GHSA-xm2m-2q6h-22jw

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uwnc-5qk4-eqgw

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

Package Instance