GHSA-xm2m-2q6h-22jw · Severity: high · Ecosystem: maven — Apache NiFi vulnerable to Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Conclusion & alert: CVE-2023-34468 is rated Moderate Risk (64.9/100): CVSS High severity, with high exploitation likelihood (EPSS 63.38%, 99th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 77.65% | 63.38% | -14.26% |
| 2 | 2026-06-13 | 78.06% | 77.65% | -0.42% |
| 3 | 2026-06-01 | — | 78.06% | — |
Full EPSS history (51 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-xm2m-2q6h-22jw · Severity: high · Ecosystem: maven — Apache NiFi vulnerable to Code Injection
| URL | Tags |
|---|---|
| http://packetstormsecurity.com/files/174398/Apache-NiFi-H2-Connection-String-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
| http://www.openwall.com/lists/oss-security/2023/06/12/3 | Mailing List Third Party Advisory |
| https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8 | Mailing List Vendor Advisory |
| https://nifi.apache.org/security.html#CVE-2023-34468 | Release Notes Vendor Advisory |
| https://www.cyfirma.com/outofband/apache-nifi-cve-2023-34468-rce-vulnerability-analysis-and-exploitation/ | Third Party Advisory |