Deserialization of Untrusted Data in Apache Nifi - CVE-2023-34212
Published: June 13, 2023
Vulnerability identifier: #VU77232
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-34212
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Nifi
Apache Nifi
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the JndiJmsConnectionFactoryProvider Controller Service and in ConsumeJMS and PublishJMS Processors. A remote user with ability to configure URL and library properties that enable deserialization of untrusted data from a remote location can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.