CVE-2023-34212

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Published: Jun 12, 2023
Updated: May 4, 2025
CVE: CVE-2023-34212
GHSA: GHSA-65wh-g8x8-gm2h
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
org.apache.nifi / nifi-jms-bundle	1.8.0	1.22.0
apache / nifi	1.8.0	1.21.0.x

http://www.openwall.com/lists/oss-security/2023/06/12/2
https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6
https://github.com/apache/nifi/pull/7313
https://issues.apache.org/jira/browse/NIFI-11614
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5
https://nifi.apache.org/security.html#CVE-2023-34212

Vulnerability Database

289,689

CVE-2023-34212