CVE-2019-12399
Summary
| CVE | CVE-2019-12399 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-14 15:15:00 UTC |
| Updated | 2023-11-07 03:03:00 UTC |
| Description | When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. |
Risk And Classification
Problem Types: CWE-319
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Kafka | 2.0.0 | All | All | All |
| Application | Apache | Kafka | 2.0.1 | All | All | All |
| Application | Apache | Kafka | 2.1.0 | All | All | All |
| Application | Apache | Kafka | 2.1.1 | All | All | All |
| Application | Apache | Kafka | 2.2.0 | All | All | All |
| Application | Apache | Kafka | 2.2.1 | All | All | All |
| Application | Apache | Kafka | 2.3.0 | All | All | All |
| Application | Apache | Kafka | 2.0.0 | All | All | All |
| Application | Apache | Kafka | 2.0.1 | All | All | All |
| Application | Apache | Kafka | 2.1.0 | All | All | All |
| Application | Apache | Kafka | 2.1.1 | All | All | All |
| Application | Apache | Kafka | 2.2.0 | All | All | All |
| Application | Apache | Kafka | 2.2.1 | All | All | All |
| Application | Apache | Kafka | 2.3.0 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.1.0 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Corporate Lending Process Management | 14.4.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.1.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Credit Facilities Process Management | 14.4.0 | All | All | All |
| Application | Oracle | Banking Liquidity Management | All | All | All | All |
| Application | Oracle | Banking Payments | 14.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.0 | All | All | All |
| Application | Oracle | Banking Supply Chain Finance | All | All | All | All |
| Application | Oracle | Banking Trade Finance Process Management | 14.1.0 | All | All | All |
| Application | Oracle | Banking Trade Finance Process Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Trade Finance Process Management | 14.4.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.1.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.4.0 | All | All | All |
| Application | Oracle | Blockchain Platform | All | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 1.9.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Flexcube Universal Banking | 14.4.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| oss-security - CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint | MLIST | www.openwall.com | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| [kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375) | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983755 Java (maven) Security Update for org.apache.kafka:kafka (GHSA-6jmf-mxwf-r3jc)