VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-x3kh-f6xp-aaah

Essentials
Severities (103)
References (11)
Severity details (17)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-x3kh-f6xp-aaah
Aliases	CVE-2023-40037 GHSA-23qf-3jf9-h3q9
Summary	Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-184	Incomplete List of Disallowed Inputs
CWE-697	Incorrect Comparison
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00131	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00131	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00131	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00131	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.00160	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.01057	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.0141	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
epss	0.07039	https://api.first.org/data/v1/epss?cve=CVE-2023-40037
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-23qf-3jf9-h3q9
cvssv3.1	4.6	https://github.com/apache/nifi
generic_textual	MODERATE	https://github.com/apache/nifi
cvssv3.1	6.5	https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf
generic_textual	MODERATE	https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf
cvssv3.1	6.5	https://github.com/apache/nifi/pull/7586
generic_textual	MODERATE	https://github.com/apache/nifi/pull/7586
cvssv3.1	6.5	https://issues.apache.org/jira/browse/NIFI-11920
generic_textual	MODERATE	https://issues.apache.org/jira/browse/NIFI-11920
cvssv3.1	6.5	https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q
generic_textual	MODERATE	https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q
cvssv3.1	6.5	https://nifi.apache.org/security.html#CVE-2023-40037
generic_textual	MODERATE	https://nifi.apache.org/security.html#CVE-2023-40037
cvssv3	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-40037
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-40037
cvssv3.1	6.5	http://www.openwall.com/lists/oss-security/2023/08/18/2
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2023/08/18/2

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-40037
		https://github.com/apache/nifi
		https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf
		https://github.com/apache/nifi/pull/7586
		https://issues.apache.org/jira/browse/NIFI-11920
		https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q
		https://nifi.apache.org/security.html#CVE-2023-40037
		http://www.openwall.com/lists/oss-security/2023/08/18/2
cpe:2.3:a:apache:nifi::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:nifi::::::::
CVE-2023-40037		https://nvd.nist.gov/vuln/detail/CVE-2023-40037
GHSA-23qf-3jf9-h3q9		https://github.com/advisories/GHSA-23qf-3jf9-h3q9

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/apache/nifi

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/apache/nifi/commit/064550aacc189f39d7ddd2c0446068adf250f1bf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/apache/nifi/pull/7586

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://issues.apache.org/jira/browse/NIFI-11920

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://lists.apache.org/thread/bqbjlrs2p5ghh8sbk5nsxb8xpf9l687q

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://nifi.apache.org/security.html#CVE-2023-40037

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-40037

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-40037

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at http://www.openwall.com/lists/oss-security/2023/08/18/2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.48567
EPSS Score	0.00131
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.