How severe is CVE-2024-8285?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2024-8285?

This is classified as CWE-297, which is a common weakness in software security.

CVE-2024-8285 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

Related Vulnerabilities

CVE-2014-3603

MEDIUM

CVSS:5.9(Medium)

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain n...

CWE-2972014

CVE-2020-1758

MEDIUM

CVSS:5.9(Medium)

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a ma...

CWE-2972020

CVE-2016-1280

MEDIUM

CVSS:6.5(Medium)

PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 b...

CWE-2972016

CVE-2024-2466

MEDIUM

CVSS:6.5(Medium)

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when t...

CWE-2972024

CVE-2024-38324

MEDIUM

CVSS:6.5(Medium)

IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an ...

CWE-2972024

CVE-2025-42921

MEDIUM

CVSS:6.5(Medium)

In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin

CWE-2972025