3 ways to get Remote Code Execution in Kafka UI

The popular open source web application Kafka UI has been found to have three potential security exposures that could lead to Remote Code Execution (RCE), an attack where an attacker exploits a system fault to run unauthorized code. The bugs were discovered by a security expert who found that the application's default configuration did not require authentication to read and write data. Furthermore, he discovered that Kafka UI evaluates GROOVY_SCRIPT internally, potentially allowing an attacker to execute arbitrary code. Finally, he also found that by adding a new Kafka cluster through the UI, an arbitrary JMX server could be connected, potentially making the system susceptible to deserialization attacks. These vulnerabilities have been fixed in the 0.7.2 version of Kafka UI.