Kroxylicious TLS Connection Flaw: High Complexity Attack with Data Integrity and Confidentiality Impact
CVE-2024-8285

5.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Streams For Apache Kafka
Vendor: CVE Published:; 30 August 2024

Summary

A vulnerability exists in Kroxylicious where the software fails to adequately verify the hostname of an upstream Kafka server during the establishment of a TLS secured connection. This misconfiguration creates a potential for an attacker to execute a Man-in-the-Middle attack or compromise other external systems, such as DNS settings or network routing. Successful exploitation requires elevated privileges, allowing access to the Kroxylicious configuration or an associated peer system, thereby compromising both data integrity and confidentiality during data exchange.

References

https://access.redhat.com/security/cve/CVE-2024-8285

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2308606

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2024