Provectus Kafka-UI Code Injection Vulnerability in Endpoint Test Executions

A code injection vulnerability allowing remote execution of arbitrary Groovy scripts has been identified in Provectus Kafka-UI versions through 0.7.2. The issue arises in the 'validateAccess' function of the '/api/smartfilters/testexecutions' endpoint, where user-supplied code is executed without authentication or proper validation. This vulnerability could be exploited to execute malicious scripts on the server, potentially leading to unauthorized access or manipulation of data.

Impact

Exploitation of this vulnerability allows for full operating system command execution on the host running Kafka-UI, with the executed command's output returned in the response. This could lead to unauthorized access to sensitive information, exfiltration of Kafka data, lateral movement within the internal network, or persistence on the compromised system, all without requiring any credentials.

Reproduction

To reproduce this vulnerability, upload a Kafka-UI instance (version 0.7.2 or earlier) with authentication disabled. Then, send an unauthenticated PUT request to the '/api/smartfilters/testexecutions' endpoint, including a Groovy script payload in the 'filterCode' field. The server will execute the script in an unsandboxed environment and return the output in the response.