CVE-2019-12399

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cusers.kafka.apache.org%3E	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/01/14/1	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261@%3Ccommits.kafka.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E	Mailing List Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662@%3Ccommits.kafka.apache.org%3E	Mailing List Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:kafka:2.0.1:::::::*
	cpe:2.3:a:apache:kafka:2.1.1:::::::*
	cpe:2.3:a:apache:kafka:2.2.0:::::::*
	cpe:2.3:a:apache:kafka:2.2.1:::::::*
	cpe:2.3:a:apache:kafka:2.3.0:::::::*
	cpe:2.3:a:apache:kafka:2.0.0:::::::*
	cpe:2.3:a:apache:kafka:2.1.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
	cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance::::::::
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_liquidity_management::::::::
	cpe:2.3:a:oracle:banking_payments:14.4.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:::::::*
	cpe:2.3:a:oracle:blockchain_platform::::::::

Information

Published : 2020-01-14 07:15

Updated : 2022-06-07 11:41

NVD link : CVE-2019-12399

Mitre link : CVE-2019-12399

JSON object : View

CWE

CWE-319

Cleartext Transmission of Sensitive Information

Products Affected

oracle

banking_credit_facilities_process_management
financial_services_analytical_applications_infrastructure
banking_liquidity_management
banking_corporate_lending_process_management
blockchain_platform
banking_platform
banking_supply_chain_finance
flexcube_universal_banking
banking_trade_finance_process_management
banking_virtual_account_management
banking_payments
communications_cloud_native_core_policy

apache

kafka

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-12399

7.5^/10

5.0^/10

Attach tags to `CVE-2019-12399`