GHSA-chxj-gxww-q98w
Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Attacker needs network-reachable MySQL with low-privilege CREATE TABLE access; scope change applies because injected SQL executes under NiFi's service account, crossing the security boundary of the vulnerable component.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
SQL injection via improperly escaped MySQL table names in Apache NiFi's CaptureChangeMySQL Processor (versions 1.2.0 through 2.9.0) allows an attacker with MySQL CREATE TABLE access in a monitored database to inject arbitrary SQL commands executed under NiFi's MySQL service credentials. A partial mitigation introduced in 1.8.0 added manual quoted boundaries that narrowed - but did not eliminate - the injection surface; the root flaw persisted for years until full remediation in 2.10.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following concurrent conditions: (1) an Apache NiFi instance with at least one CaptureChangeMySQL Processor actively deployed and enabled in a running data flow - installations without this processor are entirely unexposed; (2) the attacker must possess MySQL credentials with sufficient privileges to CREATE TABLE in a schema that is actively monitored by that NiFi processor; (3) NiFi must hold CDC-level MySQL access (REPLICATION CLIENT and REPLICATION SLAVE) to the target MySQL instance so that binary log events for the crafted table are consumed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score is available from any source in this dataset, requiring all metric assessments to be inferred from the description, JIRA metadata, and contextual signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged MySQL account in a schema monitored by an active NiFi CaptureChangeMySQL Processor creates a table whose name contains SQL metacharacters designed to break out of the identifier context - for example, a backtick-escaped sequence followed by injected SQL statements. When NiFi's processor next polls the MySQL binary log and encounters the CDC event for that table, it constructs a metadata SQL query by interpolating the raw table name, causing the injected fragment to execute under NiFi's MySQL service credentials. … |
| Remediation | Upgrade to Apache NiFi 2.10.0, the vendor-released patch that incorporates robust SQL identifier escaping in the CaptureChangeMySQL Processor, as confirmed by JIRA NIFI-15905 (resolved 2026-05-05, Fix Version 2.10.0) at https://issues.apache.org/jira/browse/NIFI-15905 and implemented via GitHub PR #11206. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all NiFi deployments running versions 1.2.0-2.9.0 with CaptureChangeMySQL Processor active and document their business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization
Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF
A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami
Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Res
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38217