CVE-2024-8285 - Vulnerability Details

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00101.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Amq Streams Kroxylicious

Configuration 1 [-]

cpe:2.3:a:redhat:kroxylicious:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Streams for Apache Kafka 2.8.0
io.kroxylicious-kroxylicious-parent	cpe:/a:redhat:amq_streams:2	RHSA-2024:9571	2024-11-13T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:9571
https://access.redhat.com/security/cve/CVE-2024-8285
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
https://nvd.nist.gov/vuln/detail/CVE-2024-8285
https://www.cve.org/CVERecord?id=CVE-2024-8285

History

Wed, 13 Nov 2024 16:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:amq_streams:2
References		https://access.redhat.com/errata/RHSA-2024:9571

Tue, 01 Oct 2024 13:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Wed, 25 Sep 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat kroxylicious
Weaknesses		CWE-295
CPEs		cpe:2.3:a:redhat:kroxylicious:-:::::::*
Vendors & Products		Redhat kroxylicious

Tue, 03 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 30 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Title	kroxylicious: Missing upstream Kafka TLS hostname verification	Kroxylicious: missing upstream kafka tls hostname verification
First Time appeared		Redhat Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:1
Vendors & Products		Redhat Redhat amq Streams
References		https://access.redhat.com/security/cve/CVE-2024-8285 https://bugzilla.redhat.com/show_bug.cgi?id=2308606

Fri, 30 Aug 2024 01:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		kroxylicious: Missing upstream Kafka TLS hostname verification
Weaknesses		CWE-297
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8285 https://www.cve.org/CVERecord?id=CVE-2024-8285
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}` threat_severity `Moderate`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-30T21:10:52.324Z

Updated: 2025-08-30T22:53:02.326Z

Reserved: 2024-08-28T19:38:52.128Z

Link: CVE-2024-8285

Vulnrichment

Updated: 2024-09-03T13:31:58.981Z

NVD

Status : Modified

Published: 2024-08-30T22:15:06.963

Modified: 2024-11-13T17:15:12.503

Link: CVE-2024-8285

Redhat

Severity : Moderate

Publid Date: 2024-08-27T00:00:00Z

Links: CVE-2024-8285 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object