CVE-2023-52251: 
NixOS vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in provectus kafka-ui versions 0.4.0 through 0.7.1. The vulnerability, identified as CVE-2023-52251, allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages endpoint. This vulnerability was discovered and disclosed on September 27, 2023, and was later patched in version 0.7.2 released in April 2024 (GitHub Security Lab).

The vulnerability exists due to insufficient sanitization of the Groovy script filter before execution in the groovyScriptFilter function. The vulnerable code executes the script through compiledScript.eval(bindings) without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD). The issue is classified as CWE-94: Improper Control of Generation of Code ('Code Injection').

The vulnerability allows attackers to execute arbitrary code on the server, potentially leading to complete system compromise. This is particularly concerning as Kafka UI does not have authentication enabled by default. According to security researchers, there were over 1,000 instances of kafka-ui exposed to the internet at the time of discovery, all potentially vulnerable to this attack. The software is also commonly deployed on internal networks, increasing the potential attack surface (CVE-2023-52251-POC).

The vulnerability has been patched in kafka-ui version 0.7.2. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, it is recommended to implement authentication as a minimum security measure and consider commenting out the entire groovy filter function. Organizations should also ensure that kafka-ui instances are not exposed to the public internet without proper security controls (ASEC).