Vulnerability Details : CVE-2019-12399
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
Exploit prediction scoring system (EPSS) score for CVE-2019-12399
Probability of exploitation activity in the next 30 days: 0.13%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 48 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-12399
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-12399
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12399
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E
CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/01/14/1
oss-security - CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpointMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261@%3Ccommits.kafka.apache.org%3E
[kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662@%3Ccommits.kafka.apache.org%3E
[kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375) - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cannounce.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cusers.kafka.apache.org%3E
CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 - Pony MailMailing List;Vendor Advisory
Products affected by CVE-2019-12399
- cpe:2.3:a:apache:kafka:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kafka:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.6 and up to, including, (<=) 8.1.0cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:*
- Oracle » Banking Liquidity ManagementVersions from including (>=) 14.0.0 and up to, including, (<=) 14.4.0cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*
- Oracle » Banking Supply Chain FinanceVersions from including (>=) 14.2.0 and up to, including, (<=) 14.4.0cpe:2.3:a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*