Cyber Resilience

CVE-2024-32030

HighRCE

Published: 19 June 2024

Published
19 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8172 99.2th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32030 is a high-severity Code Injection (CWE-94) vulnerability in Github (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Kafka UI, an open-source web interface for managing Apache Kafka clusters, contains a deserialization vulnerability in its optional JMX-based broker monitoring feature. The component accepts RMI connections to user-specified broker addresses and ports; because JMX relies on the RMI protocol, an attacker-supplied endpoint can return malicious serialized objects that are deserialized by the Kafka UI backend when the dynamic.config.enabled setting is present or when the attacker already controls a monitored Kafka cluster.

An unauthenticated remote attacker can therefore supply a malicious RMI listener instead of a legitimate JMX port, triggering gadget chains present in the application classpath and achieving remote code execution on the Kafka UI server. The same vector can be used by an attacker who already has access to a legitimate cluster to expand control to the management UI itself. The issue is exacerbated by the fact that Kafka UI ships without authentication enabled by default.

The vulnerability is tracked as GHSL-2023-230 and was fixed in release 0.7.2; the project repository contains the corresponding patch commits and pull request that disable unsafe JMX handling. No workarounds are documented. The associated EPSS score stands at 0.8172 with no material post-disclosure increase from a lower baseline.

EU & UK References

Vulnerability details

Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor…

more

the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502 CWE-94

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-94 CWE-502

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

References