关联漏洞
标题:
Apache NiFi 安全漏洞
(CVE-2023-40037)
描述:Apache NiFi是美国阿帕奇(Apache)基金会的一套数据处理和分发系统。该系统主要用于数据路由、转换和系统中介逻辑。 Apache NiFi 1.21.0至1.23.0版本存在安全漏洞,该漏洞源于允许经过身份验证和授权的攻击者使用自定义输入格式绕过连接URL验证。
描述
CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi
介绍
# CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://nifi.apache.org/security.html#CVE-2023-40037).
### Requirements:
This vulnerability requires:
<br/>
- Valid user credentials
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2023-40037/blob/main/Apache%20NiFi%20-%20CVE-2023-40037.pdf).
文件快照
[4.0K] /data/pocs/000a9dc7848e4cc560b4fb236f1ba400ffc294f8
├── [1.5M] Apache NiFi - CVE-2023-40037.pdf
└── [1003] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。