CVE-2023-34212

MEDIUM

Apache Nifi < 1.21.0 - Insecure Deserialization

Title source: rule

Description

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Exploits (1)

nomisec WRITEUP 3 stars

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2023-34212

View Code ZIP pw:eip

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2023/06/12/2

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5

[Release Notes, Vendor Advisory] https://nifi.apache.org/security.html#CVE-2023-34212

Scores

CVSS v3 6.5

EPSS 0.0118

EPSS Percentile 78.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/nifi < 1.21.0

org.apache.nifi/nifi-jms-processors < 1.22.0Maven

Timeline

Published Jun 12, 2023

Tracked Since Feb 18, 2026