Key Information 1. Vulnerability ID: - CVE-2024-8285 2. Release Date: - August 27, 2024 3. Last Updated: - August 30, 2024 4. Severity: - Medium 5. Description: - Kroxylicious has a flaw when establishing a TLS secure connection with upstream Kafka servers, failing to properly validate the server's hostname, which results in an insecure connection. 6. Attack Vector: - Requires performing a Man-in-the-Middle attack or controlling any external systems, such as DNS or network routing configurations. 7. Impact: - Affects data integrity and confidentiality. 8. Affected Packages and Red Hat Security Patches: - Includes multiple Kroxylicious components, such as kroxylicious-annotations, kroxylicious-api, kroxylicious-app-licenses, etc. 9. CVSS Score: - CVSS v3 Base Score: 7.3 - CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N 10. Frequently Asked Questions: - Why does Red Hat’s CVSS score or impact differ from other vendors? - If a product is listed as “under investigation” or “affected,” when will Red Hat release a fix? - If my product is listed as “unfixable,” what should I do? - What are mitigations? - I have a Red Hat product, but it is not listed above—am I affected? - Why does my security scanner report this vulnerability in my product, even though my product version is patched or unaffected? Additional Information External References: - Detailed information on CVE-2024-8285 - NVD details Disclaimer: - This page is automatically generated and has not been checked for errors or omissions. - For clarifications or corrections, contact the Red Hat Product Security Team. Copyright: - CVE description copyright © 2021