CVE-2024-8285

30 Ago 2024

Título es

CVE-2024-8285

Vie, 30/08/2024 – 22:15

Tipo

CWE-297

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-8285

Descripción en

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

31/08/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

7.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

HIGH

Referencias

https://access.redhat.com/security/cve/CVE-2024-8285

https://bugzilla.redhat.com/show_bug.cgi?id=2308606

Enviar en el boletín

Off

CVE-2024-8285

CVE-2024-8285

Jose Alexis Correa Valencia