CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi# CVE-2023-34468: Remote Code Execution via DB Components in Apache NiFi
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://nifi.apache.org/security.html#CVE-2023-34468).
### Requirements:
This vulnerability requires:
<br/>
- Valid user credentials
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2023-34468/blob/main/Apache%20NiFi%20-%20CVE-2023-34468.pdf).
### Additional Resources:
Thanks [h00die](https://github.com/h00die) for writing the [Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/http/apache_nifi_h2_rce/) and including me as the discoverer.
Awesome [blogpost](https://exceptionfactory.com/posts/2023/10/07/firsthand-analysis-of-apache-nifi-vulnerability-cve-2023-34468/) from David "ExceptionFactory" Handermann offering a developer's perspective on CVE-2023-34468 and CVE-2023-40037.
[CVE-2023-40037: Incomplete Validation of JDBC and JNDI Connection URLs in Apache NiFi](https://github.com/mbadanoiu/CVE-2023-40037) can be used to bypass security measures implemented for CVE-2023-34468 resulting in RCE for versions of Apache NiFi <= 1.23.0.
[4.0K] /data/pocs/4cfcbae71817ec092128efa873a1b8cd4f8faafc
├── [1.7M] Apache NiFi - CVE-2023-34468.pdf
└── [1.4K] README.md
0 directories, 2 files