Kafka-ui Product Security Update Advisory

Jun 25 2024

Overview

An update has been released to address vulnerability in our Kafka-ui product. Users of affected versions are advised to update to the latest version.

Affected Products

CVE-2023-52251

Kafka-ui versions: 0.4.0 (inclusive) ~ 0.7.1 (inclusive)

CVE-2024-32030 (Affects deployments where one of the following occurs)

if you set the dynamic.config.enabled property
an attacker gains access to the Kafka cluster that connects to Kafka UI

Resolved Vulnerabilities

Arbitrary code execution vulnerability via Groovy script filter execution in message filtering in Kafka-ui (CVE-2023-52251)

Arbitrary code execution vulnerability via JNDI check in JMX metrics collection in Kafka-ui (CVE-2024-32030)

Vulnerability Patches

Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2023-52251, CVE-2024-32030

Kafka-ui version: 0.7.2

Referenced Sites

[1] CVE-2023-52251 Detail

https://nvd.nist.gov/vuln/detail/CVE-2023-52251

[2] cve-2023-52251-poc
https://github.com/BobTheShoplifter/CVE-2023-52251-POC

[3] GHSL-2023-229_GHSL-2023-230: Remote code execution (RCE) in UI for Apache Kafka – CVE-2023-52251, CVE-2024-32030

https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/

[4] CVE-2024-32030 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-32030

Kafka-ui Product Security Update Advisory

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Nextcloud Server Security Update Advisory

Apple Product Family June 2024 First Security Notice

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

Nextcloud Server Security Update Advisory

Apple Product Family June 2024 First Security Notice