How severe is CVE-2023-34212?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2023-34212?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2023-34212 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Related Vulnerabilities

CVE-2016-10304

MEDIUM

CVSS:6.5(Medium)

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java obj...

CWE-5022016

CVE-2017-1000355

MEDIUM

CVSS:6.5(Medium)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

CWE-5022017

CVE-2017-10803

MEDIUM

CVSS:6.5(Medium)

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated pri...

CWE-5022017

CVE-2019-12799

MEDIUM

CVSS:6.5(Medium)

In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right...

CWE-5022019

CVE-2019-14466

MEDIUM

CVSS:6.5(Medium)

The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user acc...

CWE-5022019

CVE-2020-12469

MEDIUM

CVSS:6.5(Medium)

admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.

CWE-5022020