The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Affected Packages

Maven org.apache.nifi:nifi-jms-processors

Affected versions: 1.8.0 (fixed in 1.22.0)

Related CVEs

CVE-2023-34212

Key Information

GHSA ID

GHSA-65wh-g8x8-gm2h

Published

June 12, 2023 6:30 PM

Last Modified

February 13, 2025 6:57 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.nifi:nifi-jms-processors

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.