Lucene search

[email protected]NVD:CVE-2024-8285

HistoryAug 30, 2024 - 10:15 p.m.

CVE-2024-8285

2024-08-3022:15:06

CWE-295

CWE-297

[email protected]

web.nvd.nist.gov

kroxylicious

tls

hostname verification

kafka

insecure connection

man-in-the-middle

complexity

attack

data integrity

confidentiality

vulnerability

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

20.1%

JSON

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server’s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

Affected configurations

Nvd

Node

redhatkroxyliciousMatch-

VendorProductVersionCPE
redhatkroxylicious-cpe:2.3:a:redhat:kroxylicious:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	kroxylicious	-	cpe:2.3:a:redhat:kroxylicious:-:::::::*

References

access.redhat.com/security/cve/CVE-2024-8285

bugzilla.redhat.com/show_bug.cgi?id=2308606

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

20.1%

JSON

Related for NVD:CVE-2024-8285

cvelist1 redhatcve1 github1 vulnrichment1 cve1 osv1