CVE-2024-8285 - OpenCVE

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Amq Streams

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2024-8285
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
https://nvd.nist.gov/vuln/detail/CVE-2024-8285
https://www.cve.org/CVERecord?id=CVE-2024-8285

History

Tue, 03 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 30 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Title	kroxylicious: Missing upstream Kafka TLS hostname verification	Kroxylicious: missing upstream kafka tls hostname verification
First Time appeared		Redhat Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:1
Vendors & Products		Redhat Redhat amq Streams
References		https://access.redhat.com/security/cve/CVE-2024-8285 https://bugzilla.redhat.com/show_bug.cgi?id=2308606

Fri, 30 Aug 2024 01:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		kroxylicious: Missing upstream Kafka TLS hostname verification
Weaknesses		CWE-297
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8285 https://www.cve.org/CVERecord?id=CVE-2024-8285
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}` threat_severity `Moderate`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-30T21:10:52.324Z

Updated: 2024-09-18T06:42:45.166Z

Reserved: 2024-08-28T19:38:52.128Z

Link: CVE-2024-8285

Vulnrichment

Updated: 2024-09-03T13:31:58.981Z

NVD

Status : Awaiting Analysis

Published: 2024-08-30T22:15:06.963

Modified: 2024-09-03T12:59:02.453

Link: CVE-2024-8285

Redhat

Severity : Moderate

Publid Date: 2024-08-27T00:00:00Z

Links: CVE-2024-8285 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object