CVE-2019-12399
Last modified
CVE-2019-12399 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.. EPSS estimates a 3.91% chance of exploitation in the next 30 days.
Description
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Kafka | 2.0.0 |
| Apache | Kafka | 2.0.1 |
| Apache | Kafka | 2.1.0 |
| Apache | Kafka | 2.1.1 |
| Apache | Kafka | 2.2.0 |
| Apache | Kafka | 2.2.1 |
| Apache | Kafka | 2.3.0 |
| Oracle | Banking Corporate Lending Process Management | 14.1.0 |
| Oracle | Banking Corporate Lending Process Management | 14.3.0 |
| Oracle | Banking Corporate Lending Process Management | 14.4.0 |
| Oracle | Banking Credit Facilities Process Management | 14.1.0 |
| Oracle | Banking Credit Facilities Process Management | 14.3.0 |
| Oracle | Banking Credit Facilities Process Management | 14.4.0 |
| Oracle | Banking Liquidity Management | >= 14.0.0, <= 14.4.0 |
| Oracle | Banking Payments | 14.4.0 |
| Oracle | Banking Platform | 2.7.0 |
| Oracle | Banking Supply Chain Finance | >= 14.2.0, <= 14.4.0 |
| Oracle | Banking Trade Finance Process Management | 14.1.0 |
| Oracle | Banking Trade Finance Process Management | 14.3.0 |
| Oracle | Banking Trade Finance Process Management | 14.4.0 |
| Oracle | Banking Virtual Account Management | 14.1.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.4.0 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Communications Cloud Native Core Policy | 1.9.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Universal Banking | 14.4.0 |
References
- http://www.openwall.com/lists/oss-security/2020/01/14/1Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/01/14/1Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-12399?
How severe is CVE-2019-12399?
How do I fix CVE-2019-12399?
Are you affected by CVE-2019-12399?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST