Описание
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Ссылки
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
- Release NotesVendor Advisory
- Third Party Advisory
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
- Release NotesVendor Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.0.2 (включая) до 1.22.0 (исключая)
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.77205
Высокий
8.8 High
CVSS3
Дефекты
CWE-94
Связанные уязвимости
CVSS3: 8.8
fstec
больше 2 лет назад
Уязвимость cлужб контроллеров DBCPConnectionPool и HikariCPConnectionPool платформы обработки данных Apache NiFi, позволяющая нарушителю выполнить произвольный код
EPSS
Процентиль: 99%
0.77205
Высокий
8.8 High
CVSS3
Дефекты
CWE-94