diff --git a/.appsec-tests/vpatch-CVE-2025-27817/CVE-2025-27817.yaml b/.appsec-tests/vpatch-CVE-2025-27817/CVE-2025-27817.yaml new file mode 100644 index 00000000000..49057f75939 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-27817/CVE-2025-27817.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-02-11 14:36:16 +id: CVE-2025-27817 +info: + name: CVE-2025-27817 + author: crowdsec + severity: info + description: CVE-2025-27817 testing + tags: appsec-testing +http: + - raw: + - | + POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"type":"kafka","spec":{"type":"kafka","ioConfig":{"type":"kafka","consumerProperties":{"bootstrap.servers":"127.0.0.1:6666","sasl.mechanism":"OAUTHBEARER","security.protocol":"SASL_SSL","sasl.login.callback.handler.class":"org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler","sasl.oauthbearer.token.endpoint.url":"file:///etc/passwd","sasl.jaas.config":"org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;"},"topic":"test","useEarliestOffset":true,"inputFormat":{"type":"regex","pattern":"([\\s\\S]*)","listDelimiter":"","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"granularitySpec":{"rollup":false}},"tuningConfig":{"type":"kafka"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/vpatch-CVE-2025-27817/config.yaml b/.appsec-tests/vpatch-CVE-2025-27817/config.yaml new file mode 100644 index 00000000000..2161d1b6862 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-27817/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-02-11 14:36:16 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml +nuclei_template: CVE-2025-27817.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml new file mode 100644 index 00000000000..eff5c5c2850 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml @@ -0,0 +1,40 @@ +## autogenerated on 2026-02-11 14:36:16 +name: crowdsecurity/vpatch-CVE-2025-27817 +description: 'Detects Apache Kafka Client arbitrary file read via untrusted sasl.oauthbearer.token.endpoint.url in Druid sampler endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /druid/indexer/v1/sampler + - zones: + - BODY_ARGS_NAMES + transform: + - lowercase + match: + type: contains + value: sasl.oauthbearer.token.endpoint.url + - zones: + - BODY_ARGS + variables: + - json.spec.ioConfig.consumerProperties.sasl.oauthbearer.token.endpoint.url + transform: + - lowercase + match: + type: contains + value: file:// + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Apache Kafka - LFI' + classification: + - cve.CVE-2025-27817 + - attack.T1190 + - cwe.CWE-918 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be9b0b6caa2..9b114909dfe 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -93,6 +93,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2021-44529 - crowdsecurity/vpatch-CVE-2024-57727 - crowdsecurity/vpatch-CVE-2024-27292 +- crowdsecurity/vpatch-CVE-2025-27817 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 - crowdsecurity/vpatch-CVE-2022-1388