CVE-2019-12399

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 14-01-2020 04:15

Last modified: - 07-06-2022 08:41

Total changes: - 10

Description

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

High

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=apache AND product=kafka AND version=2.0.1

vendor=apache AND product=kafka AND version=2.1.1

vendor=apache AND product=kafka AND version=2.2.0

vendor=apache AND product=kafka AND version=2.2.1

vendor=apache AND product=kafka AND version=2.3.0

vendor=apache AND product=kafka AND version=2.0.0

vendor=apache AND product=kafka AND version=2.1.0

vendor=oracle AND product=financial_services_analytical_applications_infrastructure AND versionEndIncluding=8.1.0 AND versionStartIncluding=8.0.6

vendor=oracle AND product=banking_platform AND version=2.7.0

vendor=oracle AND product=flexcube_universal_banking AND version=14.4.0

vendor=oracle AND product=banking_virtual_account_management AND version=14.1.0

vendor=oracle AND product=banking_virtual_account_management AND version=14.3.0

vendor=oracle AND product=banking_virtual_account_management AND version=14.4.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.1.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.3.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.4.0

vendor=oracle AND product=banking_supply_chain_finance AND versionEndIncluding=14.4.0 AND versionStartIncluding=14.2.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.1.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.3.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.4.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.1.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.3.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.4.0

vendor=oracle AND product=banking_liquidity_management AND versionEndIncluding=14.4.0 AND versionStartIncluding=14.0.0

vendor=oracle AND product=banking_payments AND version=14.4.0

vendor=oracle AND product=communications_cloud_native_core_policy AND version=1.9.0

vendor=oracle AND product=blockchain_platform AND versionEndExcluding=21.1.2

Reference

[kafka-dev] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint-Mailing List, Vendor Advisory
[kafka-users] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint-Mailing List, Vendor Advisory
[oss-security] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint-Mailing List, Third Party Advisory
[announce] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint-Mailing List, Vendor Advisory
[kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250)-Mailing List, Vendor Advisory
[druid-commits] 20200126 [GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200126 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200127 [GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399-Mailing List, Vendor Advisory
[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
N/A-Patch, Third Party Advisory
[kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375)-Mailing List, Patch, Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2019-12399

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2019-12399

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures