Severity: important Affected versions:
- Apache NiFi 0.0.2 through 1.21.0 Description: The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. This issue is being tracked as NIFI-11653 Credit: Matei "Mal" Badanoiu (finder) References: https://nifi.apache.org/security.html#CVE-2023-34468 https://nifi.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-34468 https://issues.apache.org/jira/browse/NIFI-11653 Timeline: 2023-06-06: reported 2023-06-06: confirmed 2023-06-06: resolved