CVE-2023-34468

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 0.0.2 through 1.21.0

Description The issue in Apache NiFi is related to the DBCPConnectionPool and HikariCPConnectionPool Controller Services, which allow an authenticated and authorized user to configure a Database URL with the H2 driver, enabling custom code execution. This can be exploited by a remote attacker to execute arbitrary code. Thousands of organizations are impacted by this issue. The resolution involves validating the Database URL and rejecting H2 JDBC locations.

Recommendations For Apache NiFi versions 0.0.2 through 1.21.0, upgrade to version 1.22.0 or later, which fixes this issue. As a temporary workaround, consider restricting the use of the H2 driver in the Database URL configuration to minimize the risk of exploitation.