CVE-2023-34212

MEDIUM

Apache NiFi 1.8.0-1.21.0 - Authenticated Deserialization of Untrusted Data via JNDI URL Configuration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-34212. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a writeup and references for CVE-2023-34212, a Java deserialization vulnerability in Apache NiFi via JNDI components. It includes details on requirements, vendor disclosure, and additional resources but lacks direct exploit code.

Description

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Exploits (1)

nomisec WRITEUP 3 stars

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2023-34212

View Code ZIP pw:eip

This repository provides a writeup and references for CVE-2023-34212, a Java deserialization vulnerability in Apache NiFi via JNDI components. It includes details on requirements, vendor disclosure, and additional resources but lacks direct exploit code.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Apache NiFi 1.8.0 through 1.21.0

Auth required

Prerequisites: Valid user credentials · Access to configure JNDI properties

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2023/06/12/2

Release Notes, Vendor Advisory release-notes

https://nifi.apache.org/security.html#CVE-2023-34212

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5

Scores

CVSS v3 6.5

EPSS 0.0235

EPSS Percentile 81.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (2)

apache/nifi 1.8.0 - 1.21.0

org.apache.nifi/nifi-jms-processors 1.8.0 - 1.22.0Maven

Published Jun 12, 2023

Tracked Since Feb 18, 2026