Exploit for Deserialization of Untrusted Data in Apache Kafka_Connect CVE-2023-25194 CVE-2023-34212

Name: Exploit for Deserialization of Untrusted Data in Apache Kafka_Connect CVE-2023-25194 CVE-2023-34212
Rating: 5 (70 reviews)

2023-05-15 | CVSS 8.8

## https://sploitus.com/exploit?id=D88BDB44-BD94-56DB-A234-21E06C1828AE
# SecVulList-Veraxy00  
Let’s share some vulnerabilities I’ve identified, including their details and exploitation methods.  

## [Apache Flink Remote Code Execution Vulnerability](https://github.com/Veraxy00/SecVulList-Veraxy00/tree/main/Flink-Kafka-Vul)  
The Apache Flink Web UI lacks user authentication by default. Attackers can directly upload malicious Jar files and exploit the CVE-2023-25194 vulnerability [1] to attack Flink by leveraging the Kafka JNDI injection mechanism. This allows remote code execution. [1] https://kafka.apache.org/cve-list#CVE-2023-25194  

## [Apache NiFi Deserialization Vulnerability (CVE-2023-34212)](https://github.com/Veraxy00/SecVulList-Veraxy00/tree/main/CVE-2023-34212)  
Multiple JMS components in Apache NiFi have JNDI injections, which may lead to the deserialization of untrusted data remotely. Reference:  
https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5