A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Wed, 13 Nov 2024 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:amq_streams:2
References

Tue, 01 Oct 2024 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}


Wed, 25 Sep 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat kroxylicious
Weaknesses CWE-295
CPEs cpe:2.3:a:redhat:kroxylicious:-:*:*:*:*:*:*:*
Vendors & Products Redhat kroxylicious

Tue, 03 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 30 Aug 2024 21:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Title kroxylicious: Missing upstream Kafka TLS hostname verification Kroxylicious: missing upstream kafka tls hostname verification
First Time appeared Redhat
Redhat amq Streams
CPEs cpe:/a:redhat:amq_streams:1
Vendors & Products Redhat
Redhat amq Streams
References

Fri, 30 Aug 2024 01:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title kroxylicious: Missing upstream Kafka TLS hostname verification
Weaknesses CWE-297
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T22:53:02.326Z

Reserved: 2024-08-28T19:38:52.128Z

Link: CVE-2024-8285

cve-icon Vulnrichment

Updated: 2024-09-03T13:31:58.981Z

cve-icon NVD

Status : Modified

Published: 2024-08-30T22:15:06.963

Modified: 2024-11-13T17:15:12.503

Link: CVE-2024-8285

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-08-27T00:00:00Z

Links: CVE-2024-8285 - Bugzilla

cve-icon OpenCVE Enrichment

No data.