CVE-2019-12399
kafka: Connect REST API exposes plaintext secrets in tasks endpoint
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
Cuando los trabajadores de Connect en Apache Kafka versiones 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1 o 2.3.0, son configurados con uno o más proveedores de configuración, y un conector es creado y actualizado sobre este clúster Connect para usar una variable secreta externalizada en una subcadena de un valor de propiedad de configuración del conector, cualquier cliente puede emitir una petición al mismo clúster de Connect para obtener la configuración de tareas del conector y la respuesta contendrá el secreto de texto plano en lugar de las variables secretas externalizadas.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-05-28 CVE Reserved
- 2020-01-14 CVE Published
- 2023-12-21 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-319: Cleartext Transmission of Sensitive Information
CAPEC
References (26)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.0.0 Search vendor "Apache" for product "Kafka" and version "2.0.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.0.1 Search vendor "Apache" for product "Kafka" and version "2.0.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.1.0 Search vendor "Apache" for product "Kafka" and version "2.1.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.1.1 Search vendor "Apache" for product "Kafka" and version "2.1.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.2.0 Search vendor "Apache" for product "Kafka" and version "2.2.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.2.1 Search vendor "Apache" for product "Kafka" and version "2.2.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kafka Search vendor "Apache" for product "Kafka" | 2.3.0 Search vendor "Apache" for product "Kafka" and version "2.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.1.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.3.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.4.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.1.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.3.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.4.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Liquidity Management Search vendor "Oracle" for product "Banking Liquidity Management" | >= 14.0.0 <= 14.4.0 Search vendor "Oracle" for product "Banking Liquidity Management" and version " >= 14.0.0 <= 14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Payments Search vendor "Oracle" for product "Banking Payments" | 14.4.0 Search vendor "Oracle" for product "Banking Payments" and version "14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | >= 14.2.0 <= 14.4.0 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version " >= 14.2.0 <= 14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.1.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.3.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.4.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.1.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.4.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform" | < 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | >= 8.0.6 <= 8.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking" | 14.4.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "14.4.0" | - |
Affected
| ||||||