CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-32030 – Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
https://notcve.org/view.php?id=CVE-2024-32030
Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. • https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36 https://github.com/provectus/kafka-ui/pull/4427 https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 94%CPEs: 1EXPL: 1CVE-2023-52251 – Kafka UI 0.7.1 Command Injection
https://notcve.org/view.php?id=CVE-2023-52251
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. Un problema descubierto en provectus kafka-ui v0.4.0 a v0.7.1 permite a atacantes remotos ejecutar código arbitrario a través del parámetro q de /api/clusters/local/topics/{topic}/messages. A command injection vulnerability exists in Kafka UI versions 0.4.0 through 0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section. • https://github.com/BobTheShoplifter/CVE-2023-52251-POC http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251 • CWE-94: Improper Control of Generation of Code ('Code Injection') •