Veraxy00

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 1.8.0 through 1.21.0 **Description** The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. **Recommendations** Upgrade to version 1.22.0 or later, which fixes this issue.