Is CVE-2022-33140 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 4%.

What products does CVE-2022-33140 affect?

Tracked products affected include macOS. Check the version you run to see whether it is affected.

How do I fix CVE-2022-33140?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2022-33140

Q: What is CVE-2022-33140?

CVE-2022-33140 is a high-severity software vulnerability (OS command injection) with a CVSS score of 8.8. The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS pla

HIGH severity · CVSS 8.8 · OS command injection

8.8CVSS HIGH

Summary

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)4%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

macOS

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2022-33140

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information