CVE-2024-56128

CWE-3037 documents6 sources
Severity
5.3MEDIUM
EPSS
0.4%
top 40.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache KafkaApache Kafka
Timeline
PublishedDec 18
Latest updateJul 15

Description

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validatio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

NVDapache/kafka0.10.2.03.7.2+1
Mavenorg.apache.kafka:kafka_2.120.10.2.03.7.2+1
Mavenorg.apache.kafka:kafka_2.130.10.2.03.7.2+1
CVEListV5apache_software_foundation/apache_kafka0.10.2.03.7.2+1
Mavenorg.apache.kafka:kafka_2.100.10.2.00.10.2.2

🔴Vulnerability Details

3
CVEList
Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption2024-12-18
GHSA
Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm2024-12-18
OSV
Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm2024-12-18

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Applications Risk Matrix: Common Functions (Apache Kafka) — CVE-2024-561282025-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Platform (Apache Kafka) — CVE-2024-561282025-04-15
Red Hat
kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption2024-12-18
CVE-2024-56128 (MEDIUM CVSS 5.3) | Incorrect Implementation of Authent | cvebase.io