The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Valid user credentials
More details and the exploitation process can be found in this PDF.
Thanks h00die for writing the Metasploit module and including me as the discoverer.
Awesome blogpost from David "ExceptionFactory" Handermann offering a developer's perspective on CVE-2023-34468 and CVE-2023-40037.
CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi can be used to bypass security measures implemented for CVE-2023-34468 resulting in RCE for versions of Apache NiFi <= 1.23.0.