Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-uwnc-5qk4-eqgw
Summary
Apache NiFi vulnerable to Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Aliases
0
alias CVE-2023-34468
1
alias GHSA-xm2m-2q6h-22jw
Fixed_packages
0
url pkg:maven/org.apache.nifi/nifi@1.22.0
purl pkg:maven/org.apache.nifi/nifi@1.22.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mm3u-4acx-e3hj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0
1
url pkg:maven/org.apache.nifi/nifi-dbcp-base@1.22.0
purl pkg:maven/org.apache.nifi/nifi-dbcp-base@1.22.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-dbcp-base@1.22.0
2
url pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@1.22.0
purl pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@1.22.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@1.22.0
3
url pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0
purl pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.22.0
Affected_packages
0
url pkg:maven/org.apache.nifi/nifi@0.0.2
purl pkg:maven/org.apache.nifi/nifi@0.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mm3u-4acx-e3hj
1
vulnerability VCID-uwnc-5qk4-eqgw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@0.0.2
1
url pkg:maven/org.apache.nifi/nifi-dbcp-base@0.0.2
purl pkg:maven/org.apache.nifi/nifi-dbcp-base@0.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-uwnc-5qk4-eqgw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-dbcp-base@0.0.2
2
url pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@0.0.2
purl pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@0.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-uwnc-5qk4-eqgw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-dbcp-service-nar@0.0.2
3
url pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@0.0.2
purl pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@0.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mm3u-4acx-e3hj
1
vulnerability VCID-uwnc-5qk4-eqgw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@0.0.2
References
0
reference_url https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
reference_id
reference_type
scores
url https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468
1
reference_url https://github.com/apache/nifi
reference_id
reference_type
scores
url https://github.com/apache/nifi
2
reference_url https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
reference_id
reference_type
scores
url https://github.com/apache/nifi/commit/4faf3ea59895e7e153db3f8f61147ff70a254361
3
reference_url https://github.com/apache/nifi/pull/7349
reference_id
reference_type
scores
url https://github.com/apache/nifi/pull/7349
4
reference_url https://issues.apache.org/jira/browse/NIFI-11653
reference_id
reference_type
scores
url https://issues.apache.org/jira/browse/NIFI-11653
5
reference_url https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
reference_id
reference_type
scores
url https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8
6
reference_url https://nifi.apache.org/security.html#CVE-2023-34468
reference_id
reference_type
scores
url https://nifi.apache.org/security.html#CVE-2023-34468
7
reference_url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
reference_id
reference_type
scores
url https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation
8
reference_url http://www.openwall.com/lists/oss-security/2023/06/12/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2023/06/12/3
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34468
reference_id CVE-2023-34468
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-34468
10
reference_url https://github.com/advisories/GHSA-xm2m-2q6h-22jw
reference_id GHSA-xm2m-2q6h-22jw
reference_type
scores
url https://github.com/advisories/GHSA-xm2m-2q6h-22jw
Weaknesses
0
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-uwnc-5qk4-eqgw