CVE-2023-40037:
Apache NiFi Insufficient Property Validation vulnerability
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79613%
CWE
Published
8/19/2023
Updated
2/13/2025
KEV Status
No
Technology
Java
JavaTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.nifi:nifi-dbcp-base | maven | >= 1.21.0, < 1.23.1 | 1.23.1 |
| org.apache.nifi:nifi-jms-processors | maven | >= 1.21.0, < 1.23.1 | 1.23.1 |
| org.apache.nifi:nifi-dbcp-service-api | maven | >= 1.21.0, < 1.23.1 | 1.23.1 |
| org.apache.nifi:nifi-dbcp-service-bundle | maven | >= 1.21.0, < 1.23.1 | 1.23.1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stemmed from insufficient validation of JDBC/JNDI connection URLs and driver classes. The commit diff shows key changes: 1) JNDI URL validation now evaluates Expression Language and trims input, indicating prior lack of sanitization. 2) Connection URL checks switched from 'startsWith()' to 'contains()', addressing partial scheme bypass. 3) Driver class properties replaced generic validators with a dedicated DriverClassValidator, blocking dangerous drivers like H2. These fixes directly correlate to the CWE-184 and CWE-697 issues described, confirming the original functions were vulnerable to crafted input bypasses.