Update CVE-2023-52251.yaml

patch-4
Dhiyaneshwaran 2024-03-14 15:48:27 +05:30 committed by GitHub
parent 456ed4ec41
commit 55b1e930ef
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 20 additions and 13 deletions

View File

@ -1,25 +1,32 @@
id: CVE-2023-52251
info:
name: kafka-ui - RCE
name: Kafka UI 0.7.1 Command Injection
author: yhy0
severity: critical
severity: high
description: |
Remote Code Execution vulnerability provectus/kafka-ui.
remediation: |
Do not expose to the Internet
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
reference:
- https://github.com/BobTheShoplifter/CVE-2023-52251-POC
- https://github.com/provectus/kafka-ui
- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-52251
cwe-id: CWE-94
epss-score: 0.02881
epss-percentile: 0.90497
cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
metadata:
max-request: 3
fofa-query: icon_hash="-1477045616"
verified: true
tags: cve,cve2023,rce,kafka,kafka-ui
max-request: 3
vendor: provectus
product: ui
framework: kafka
fofa-query: icon_hash="-1477045616"
tags: packetstorm,cve,cve2023,rce,kafka,kafka-ui
http:
- method: GET