VDB

CVE-2024-8285

CVE-2024-8285 PUBLISHED CVSS 5.900000095367432 MEDIUM

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

EPSS 0.15% · 35.1th percentile

Risk Scores

CVSS 3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.15%
35.1th percentile

Affected Products

VendorProductVersions
Red Hatstreams for Apache Kafka
0.80.0
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Mavenio.kroxylicious:kroxylicious-runtime0
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red HatStreams for Apache Kafka 2.8.0
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
redhatkroxylicious
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka
Red Hatstreams for Apache Kafka

…and 6 more

Timeline

  • Aug 30, 2024 CVE Published
  • Aug 31, 2024 EPSS Score
  • Sep 20, 2024 EPSS Score
  • Oct 5, 2024 Coalition ESS Score
  • Oct 10, 2024 EPSS Score
  • Oct 31, 2024 EPSS Score
  • Nov 14, 2024 Coalition ESS Score
  • Nov 20, 2024 EPSS Score
  • Dec 11, 2024 EPSS Score
  • Dec 31, 2024 EPSS Score
  • Jan 20, 2025 EPSS Score
  • Feb 10, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›