Kroxylicious TLS Connection Flaw: High Complexity Attack with Data Integrity and Confidentiality Impact
CVE-2024-8285

5.9MEDIUM

Key Information:

Status
Streams For Apache Kafka 2.8.0
Streams For Apache Kafka
Vendor
CVE Published:
30 August 2024

What is CVE-2024-8285?

A vulnerability exists in Kroxylicious where the software fails to adequately verify the hostname of an upstream Kafka server during the establishment of a TLS secured connection. This misconfiguration creates a potential for an attacker to execute a Man-in-the-Middle attack or compromise other external systems, such as DNS settings or network routing. Successful exploitation requires elevated privileges, allowing access to the Kroxylicious configuration or an associated peer system, thereby compromising both data integrity and confidentiality during data exchange.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:9571
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-8285
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.