services:
  kafka-ui:
    image: provectuslabs/kafka-ui:v0.7.1
    container_name: cve-2024-32030-kafka-ui
    environment:
      # Enables the unauthenticated POST /api/clusters dynamic-config surface
      # that the CVE-2024-32030 exploit registers a malicious JMX cluster through.
      DYNAMIC_CONFIG_ENABLED: "true"
    ports:
      # Host-only: exploiter and verifier run on the same host.
      - "127.0.0.1:8080:8080"
    extra_hosts:
      # Lets the kafka-ui JVM reach a JRMP listener the attacker runs on the host.
      - "host.docker.internal:host-gateway"
    restart: unless-stopped
    healthcheck:
      # actuator health endpoint is exposed by the kafka-ui spring boot app
      test: ["CMD", "wget", "-q", "-O", "-", "http://127.0.0.1:8080/actuator/health"]
      interval: 5s
      timeout: 5s
      retries: 20
      start_period: 30s