CVE-2023-52251 – Kafka UI 0.7.1 Command Injection
https://notcve.org/view.php?id=CVE-2023-52251
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. Un problema descubierto en provectus kafka-ui v0.4.0 a v0.7.1 permite a atacantes remotos ejecutar código arbitrario a través del parámetro q de /api/clusters/local/topics/{topic}/messages. A command injection vulnerability exists in Kafka UI versions 0.4.0 through 0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section. • https://github.com/BobTheShoplifter/CVE-2023-52251-POC http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-39395 – Vela Insecure Defaults
https://notcve.org/view.php?id=CVE-2022-39395
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. • https://docs.docker.com/engine/security/#docker-daemon-attack-surface https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4 https://github.com/go-vela/server/releases/tag/v0.16.0 https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593 https://github.com/go-vela/ui/releases/tag/v0.17.0 https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v https://github.com/go-vela/worker/releases/tag/v0.16.0 https://github.com& • CWE-269: Improper Privilege Management •