CVE-2024-56128

Опубликовано: 18 дек. 2024

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation.

Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation.

Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue.

How to Detect If You Are Impacted: If your deployment uses SCRAM authent

Ссылки

https://datatracker.ietf.org/doc/html/rfc5802
Technical Description
https://datatracker.ietf.org/doc/html/rfc5802#section-9
Technical Description
https://kafka.apache.org/documentation/#security_sasl_scram_security
Product
https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/18/3
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*

Версия от 0.10.2.0 (включая) до 3.7.2 (исключая)

cpe:2.3:a:apache:kafka:3.8.0:*:*:*:*:*:*:*

EPSS

Процентиль: 32%

0.00123

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-303

NVD-CWE-Other

Связанные уязвимости

CVE-2024-56128

CVSS3: 7.4

redhat

около 1 года назад

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue. How to Detect If You Are Impacted: If your deployment uses SCRAM authent...

CVE-2024-56128

CVSS3: 5.3

debian

около 1 года назад

Incorrect Implementation of Authentication Algorithm in Apache Kafka's ...

GHSA-p7c9-8xx8-h74f

CVSS3: 5.3

github

около 1 года назад

Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm

BDU:2025-00027

CVSS3: 5.3

fstec

около 1 года назад

Уязвимость механизма аутентификации Salted Challenge Response Authentication Mechanism (SCRAM) диспетчера сообщений Apache Kafka, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

ROS-20250630-05

CVSS3: 5.3

redos

6 месяцев назад

Уязвимость apache-kafka

EPSS

Процентиль: 32%

0.00123

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-303

NVD-CWE-Other