CVE-2019-12399

CWE-319Cleartext TransmissionCWE-200Information Exposure10 documents7 sources
Severity
7.5HIGH
EPSS
2.3%
top 15.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Oracle Blockchain PlatformOracle Banking Liquidity ManagementOracle Banking Supply Chain Finance+10 more
Timeline
PublishedJan 14
Latest updateApr 15

Description

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variabl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages15 packages

Mavenorg.apache.kafka:kafka2.0.02.0.2+3
CVEListV5apache/kafka7 versions+6
NVDapache/kafka7 versions+6

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
nss vulnerabilities2020-06-16
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka2020-05-12
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka2020-05-12
CVEList
CVE-2019-12399: When Connect workers in Apache Kafka 22020-01-14

📋Vendor Advisories

4
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Apache Kafka) — CVE-2019-123992022-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Measurements (Apache Kafka) — CVE-2019-123992021-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Core (Apache Kafka) — CVE-2019-123992021-01-15
Red Hat
kafka: Connect REST API exposes plaintext secrets in tasks endpoint2020-01-14

💬Community

1
Bugzilla
CVE-2019-12399 kafka: Connect REST API exposes plaintext secrets in tasks endpoint2020-01-30