Vulnerability Description
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Kroxylicious | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2024:9571
- https://access.redhat.com/security/cve/CVE-2024-8285Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2308606Issue TrackingVendor Advisory
FAQ
What is CVE-2024-8285?
CVE-2024-8285 is a vulnerability with a CVSS score of 5.9 (MEDIUM). A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting...
How severe is CVE-2024-8285?
CVE-2024-8285 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-8285?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Kroxylicious.