CVE-2023-36542

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 0.0.2 through 1.22.0

Description The issue is related to the Remote Resource Handler component of Apache NiFi, which is associated with incorrect code generation management. This can allow a remote attacker to execute arbitrary code. The vulnerability is exploited when an authenticated and authorized user configures a location that enables custom code execution, using HTTP URL references for retrieving drivers in Processors and Controller Services.

Recommendations For Apache NiFi versions 0.0.2 through 1.22.0, upgrade to Apache NiFi 1.23.0 to mitigate the issue. This version introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users.