module
Apache NiFi H2 Connection String Remote Code Execution
| Disclosed |
|---|
| Jun 12, 2023 |
Disclosed
Jun 12, 2023
Description
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in
Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
to configure a Database URL with the H2 driver that enables custom code execution.
This exploit will result in several shells (5-7).
Successfully tested against Apache nifi 1.17.0 through 1.21.0.
Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
to configure a Database URL with the H2 driver that enables custom code execution.
This exploit will result in several shells (5-7).
Successfully tested against Apache nifi 1.17.0 through 1.21.0.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.