CVE-2019-12399

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

Published: Jan 14, 2020
Updated: Nov 8, 2023
CVE: CVE-2019-12399
GHSA: GHSA-6jmf-mxwf-r3jc
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-319

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
apache / kafka	2.0.1	2.0.1.x
apache / kafka	2.1.1	2.1.1.x
apache / kafka	2.2.0	2.2.0.x
apache / kafka	2.2.1	2.2.1.x
apache / kafka	2.3.0	2.3.0.x
apache / kafka	2.0.0	2.0.0.x
apache / kafka	2.1.0	2.1.0.x
oracle / financial_services_analytical_applications_infrastructure	8.0.6	8.1.0.x
oracle / banking_platform	2.7.0	2.7.0.x
oracle / flexcube_universal_banking	14.4.0	14.4.0.x
oracle / banking_virtual_account_management	14.1.0	14.1.0.x
oracle / banking_virtual_account_management	14.3.0	14.3.0.x
oracle / banking_virtual_account_management	14.4.0	14.4.0.x
oracle / banking_trade_finance_process_management	14.1.0	14.1.0.x
oracle / banking_trade_finance_process_management	14.3.0	14.3.0.x
oracle / banking_trade_finance_process_management	14.4.0	14.4.0.x
oracle / banking_supply_chain_finance	14.2.0	14.4.0.x
oracle / banking_liquidity_management	14.0.0	14.4.0.x
oracle / banking_credit_facilities_process_management	14.1.0	14.1.0.x
oracle / banking_credit_facilities_process_management	14.3.0	14.3.0.x
oracle / banking_credit_facilities_process_management	14.4.0	14.4.0.x
oracle / banking_corporate_lending_process_management	14.3.0	14.3.0.x
oracle / banking_payments	14.4.0	14.4.0.x
oracle / banking_corporate_lending_process_management	14.4.0	14.4.0.x
oracle / banking_corporate_lending_process_management	14.1.0	14.1.0.x
oracle / communications_cloud_native_core_policy	1.9.0	1.9.0.x
oracle / blockchain_platform	-	21.1.2
org.apache.kafka / kafka	2.0.0	2.0.2
org.apache.kafka / kafka	2.1.0	2.1.2
org.apache.kafka / kafka	2.2.0	2.2.2
org.apache.kafka / kafka	2.3.0	2.3.0.x
org.apache.kafka / kafka	2.3.0	2.3.1

Vulnerability Database

289,599

CVE-2019-12399