CVE-2024-8285
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
EPSS 0.15% · 35.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | streams for Apache Kafka | |
| 0.80.0 | ||
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Maven | io.kroxylicious:kroxylicious-runtime | 0 |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | Streams for Apache Kafka 2.8.0 | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| redhat | kroxylicious | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka | |
| Red Hat | streams for Apache Kafka |
…and 6 more
Exploit Intelligence
- RHSA-2024:9571 (circl)
- https://access.redhat.com/security/cve/CVE-2024-8285 (circl)
- RHBZ#2308606 (circl)
Timeline
- Aug 30, 2024 CVE Published
- Aug 31, 2024 EPSS Score
- Sep 20, 2024 EPSS Score
- Oct 5, 2024 Coalition ESS Score
- Oct 10, 2024 EPSS Score
- Oct 31, 2024 EPSS Score
- Nov 14, 2024 Coalition ESS Score
- Nov 20, 2024 EPSS Score
- Dec 11, 2024 EPSS Score
- Dec 31, 2024 EPSS Score
- Jan 20, 2025 EPSS Score
- Feb 10, 2025 EPSS Score
References
- RHSA-2024:9571 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-8285 vdb
- RHBZ#2308606 issue
- https://nvd.nist.gov/vuln/detail/CVE-2024-8285 advisory
- https://github.com/kroxylicious/kroxylicious/commit/8be1efcb0a2160fa3ad4cb0e5a27e60160774dce url
- https://github.com/kroxylicious/kroxylicious package