Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.16.2

Type maven

Namespace org.apache.nifi

Name nifi-hikari-dbcp-service

Version 1.16.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.23.0

Latest_non_vulnerable_version 1.23.0

Affected_by_vulnerabilities

url VCID-avx3-b1dt-kkf9

vulnerability_id VCID-avx3-b1dt-kkf9

summary

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-34468

reference_id

reference_type

scores

value	0.78065
scoring_system	epss
scoring_elements	0.99038
published_at	2026-06-11T12:55:00Z

value	0.78065
scoring_system	epss
scoring_elements	0.99042
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-34468

reference_url

https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468

reference_url

https://github.com/apache/nifi

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi

reference_url

https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361

reference_url

https://github.com/apache/nifi/pull/7349

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/pull/7349

reference_url

https://issues.apache.org/jira/browse/NIFI-11653

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/NIFI-11653

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-34468

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-34468

reference_url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_url

http://www.openwall.com/lists/oss-security/2023/06/12/3

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

http://www.openwall.com/lists/oss-security/2023/06/12/3

reference_url

https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_id

7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8

reference_url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

reference_id

apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/

reference_url

http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

reference_id

Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html

reference_url

https://github.com/advisories/GHSA-xm2m-2q6h-22jw

reference_id

GHSA-xm2m-2q6h-22jw

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xm2m-2q6h-22jw

reference_url

https://nifi.apache.org/security.html#CVE-2023-34468

reference_id

security.html#CVE-2023-34468

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T20:21:50Z/

url

https://nifi.apache.org/security.html#CVE-2023-34468

fixed_packages

url pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

purl pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-tghs-efwb-4bhx

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0

aliases CVE-2023-34468, GHSA-xm2m-2q6h-22jw

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-avx3-b1dt-kkf9

url VCID-tghs-efwb-4bhx

vulnerability_id VCID-tghs-efwb-4bhx

summary Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-36542

reference_id

reference_type

scores

value	0.01177
scoring_system	epss
scoring_elements	0.79137
published_at	2026-06-11T12:55:00Z

value	0.01177
scoring_system	epss
scoring_elements	0.79202
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-36542

reference_url

https://github.com/apache/nifi

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi

reference_url

https://github.com/apache/nifi/commit/532578799c

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/nifi/commit/532578799c

reference_url

https://issues.apache.org/jira/browse/NIFI-11744

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/NIFI-11744

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-36542

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-36542

reference_url

http://www.openwall.com/lists/oss-security/2023/07/29/1

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

http://www.openwall.com/lists/oss-security/2023/07/29/1

reference_url

http://seclists.org/fulldisclosure/2023/Jul/43

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

http://seclists.org/fulldisclosure/2023/Jul/43

reference_url

https://github.com/advisories/GHSA-r969-8v3h-23v9

reference_id

GHSA-r969-8v3h-23v9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r969-8v3h-23v9

reference_url

https://nifi.apache.org/security.html#CVE-2023-36542

reference_id

security.html#CVE-2023-36542

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

https://nifi.apache.org/security.html#CVE-2023-36542

reference_url

https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof

reference_id

swnly3dzhhq9zo3rofc8djq77stkhbof

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T13:50:05Z/

url

https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof

fixed_packages

url	pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.23.0
purl	pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.23.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.23.0

aliases CVE-2023-36542, GHSA-r969-8v3h-23v9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tghs-efwb-4bhx

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.16.2

Package Instance