Skip to main content

Incorrect Implementation of Authentication Algorithm

CVE-2024-56128

Severity Medium
Score 6.3/10

Summary

An authentication algorithm issue in Apache Kafka's SCRAM implementation allows attackers with plaintext access to the SCRAM authentication exchange to exploit the lack of nonce validation, which violates RFC 5802. This issue affects deployments using SCRAM over plaintext communication, as the authentication exchange is not encrypted, making it susceptible to interception. Using SCRAM with TLS mitigates the vulnerability by encrypting authentication exchanges. Users are advised to enable TLS for SCRAM authentication or consider alternative mechanisms like Kerberos or OAuth to ensure secure communication. The issue has been resolved by introducing nonce validation in the SCRAM authentication process. This issue affects versions 0.10.2.0 through 3.7.1 and 3.8.0.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-303 - Incorrect Implementation of Authentication Algorithm

The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Advisory Timeline

  • Published