CVE-2023-36542: Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources

[David Handermann <exceptionfactory () apache org>]

Severity: moderate

Affected versions:

- Apache NiFi 0.0.2 through 1.22.0

Description:

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for 
retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code 
execution. The resolution introduces a new Required Permission for referencing remote resources, restricting 
configuration of these components to privileged users. The permission prevents unprivileged users from configuring 
Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache 
NiFi 1.23.0 is the recommended mitigation.

This issue is being tracked as NIFI-11744 

Credit:

nbxiglk (finder)

References:

https://nifi.apache.org/security.html#CVE-2023-36542
https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-36542
https://issues.apache.org/jira/browse/NIFI-11744

Timeline:

2023-06-19: reported
2023-06-21: confirmed
2023-06-21: resolved