Incorrect Implementation of Authentication Algorithm
CVE-2024-56128
Summary
An authentication algorithm issue in Apache Kafka's SCRAM implementation allows attackers with plaintext access to the SCRAM authentication exchange to exploit the lack of nonce validation, which violates RFC 5802. This issue affects deployments using SCRAM over plaintext communication, as the authentication exchange is not encrypted, making it susceptible to interception. Using SCRAM with TLS mitigates the vulnerability by encrypting authentication exchanges. Users are advised to enable TLS for SCRAM authentication or consider alternative mechanisms like Kerberos or OAuth to ensure secure communication. The issue has been resolved by introducing nonce validation in the SCRAM authentication process. This issue affects versions 0.10.2.0 through 3.7.1 and 3.8.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-303 - Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
References
Advisory Timeline
- Published