Full title: Apache NiFi H2 Connection String Remote Code Execution Exploit 
Category: remote exploits
Platform: unix
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0.

# 0day.today @ http://0day.today/