Vulnerability Name: CVE-2019-12399 (CCN-174387) Assigned: 2019-05-28 Published: 2020-01-13 Updated: 2022-06-07 Summary: When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-319 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2019-12399 [oss-security] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint apache-kafka-cve201912399-info-disc(174387) Kafka [druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200126 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399 [druid-commits] 20200126 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [kafka-dev] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint [announce] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint [kafka-users] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint [druid-commits] 20200126 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization [druid-commits] 20200127 [GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399 [kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250) [kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375) [druid-commits] 20200126 [GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399 [druid-commits] 20200127 [GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint IBM Event Streams is affected by kafka vulnerability CVE-2019-12399 IBM Security Guardium Insights is affected by multiple vulnerabilities Apache Kafka as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2019-12399) N/A Oracle Critical Patch Update Advisory - April 2021 https://www.oracle.com/security-alerts/cpuApr2021.html Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html Oracle Critical Patch Update Advisory - January 2021 https://www.oracle.com/security-alerts/cpujan2021.html Oracle Critical Patch Update Advisory - July 2021 Vulnerable Configuration: Configuration 1 :cpe:/a:apache:kafka:2.0.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.1.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.2.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.2.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.3.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.0.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.1.0:*:*:*:*:*:*:* Configuration 2 :cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.6 and <= 8.1.0)OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:* (Version >= 14.2.0 and <= 14.4.0) OR cpe:/a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:* (Version >= 14.0.0 and <= 14.4.0) OR cpe:/a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version < 21.1.2) Configuration CCN 1 :cpe:/a:apache:kafka:2.1.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.0.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.0.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.1.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.2.0:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.2.1:*:*:*:*:*:*:* OR cpe:/a:apache:kafka:2.3.0:*:*:*:*:*:*:* AND cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2019.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2019.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2019.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* BACK
apache kafka 2.0.1
apache kafka 2.1.1
apache kafka 2.2.0
apache kafka 2.2.1
apache kafka 2.3.0
apache kafka 2.0.0
apache kafka 2.1.0
oracle financial services analytical applications infrastructure *
oracle banking platform 2.7.0
oracle flexcube universal banking 14.4.0
oracle banking virtual account management 14.1.0
oracle banking virtual account management 14.3.0
oracle banking virtual account management 14.4.0
oracle banking trade finance process management 14.1.0
oracle banking trade finance process management 14.3.0
oracle banking trade finance process management 14.4.0
oracle banking supply chain finance *
oracle banking corporate lending process management 14.1.0
oracle banking corporate lending process management 14.3.0
oracle banking corporate lending process management 14.4.0
oracle banking credit facilities process management 14.1.0
oracle banking credit facilities process management 14.3.0
oracle banking credit facilities process management 14.4.0
oracle banking liquidity management *
oracle banking payments 14.4.0
oracle communications cloud native core policy 1.9.0
oracle blockchain platform *
apache kafka 2.1.0
apache kafka 2.0.0
apache kafka 2.0.1
apache kafka 2.1.1
apache kafka 2.2.0
apache kafka 2.2.1
apache kafka 2.3.0
ibm event streams 2019.2.1
ibm event streams 2019.2.2
ibm event streams 2019.2.3
ibm event streams 2019.4.1
ibm security guardium insights 2.0.1
ibm qradar security information and event manager 7.4 -
Denotes that component is vulnerable