CVSS: 9.0EPSS: 93%CPEs: 1EXPL: 2CVE-2023-52251 – Kafka UI 0.7.1 Command Injection
https://notcve.org/view.php?id=CVE-2023-52251
25 Jan 2024 — An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. Un problema descubierto en provectus kafka-ui v0.4.0 a v0.7.1 permite a atacantes remotos ejecutar código arbitrario a través del parámetro q de /api/clusters/local/topics/{topic}/messages. A command injection vulnerability exists in Kafka UI versions 0.4.0 through 0.7.1 that allows an attacker to inject and execute arbitrary shel... • https://packetstorm.news/files/id/177214 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39395 – Vela Insecure Defaults
https://notcve.org/view.php?id=CVE-2022-39395
10 Nov 2022 — Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrup... • https://docs.docker.com/engine/security/#docker-daemon-attack-surface • CWE-269: Improper Privilege Management •