{"containers": {"cna": {"affected": [{"product": "Kafka", "vendor": "Apache", "versions": [{"status": "affected", "version": "Apache Kafka 2.0.0"}, {"status": "affected", "version": "2.0.1"}, {"status": "affected", "version": "2.1.0"}, {"status": "affected", "version": "2.1.1"}, {"status": "affected", "version": "2.2.0"}, {"status": "affected", "version": "2.2.1"}, {"status": "affected", "version": "2.3.0"}]}], "descriptions": [{"lang": "en", "value": "When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:19:59", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[kafka-users] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cusers.kafka.apache.org%3E"}, {"name": "[oss-security] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/1"}, {"name": "[announce] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cannounce.apache.org%3E"}, {"name": "[kafka-dev] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662%40%3Ccommits.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-12399", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kafka", "version": {"version_data": [{"version_value": "Apache Kafka 2.0.0"}, {"version_value": "2.0.1"}, {"version_value": "2.1.0"}, {"version_value": "2.1.1"}, {"version_value": "2.2.0"}, {"version_value": "2.2.1"}, {"version_value": "2.3.0"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "[kafka-users] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cusers.kafka.apache.org%3E"}, {"name": "[oss-security] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/01/14/1"}, {"name": "[announce] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9@%3Cannounce.apache.org%3E"}, {"name": "[kafka-dev] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261@%3Ccommits.kafka.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662@%3Ccommits.kafka.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:17:40.107Z"}, "title": "CVE Program Container", "references": [{"name": "[kafka-users] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cusers.kafka.apache.org%3E"}, {"name": "[oss-security] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/1"}, {"name": "[announce] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cannounce.apache.org%3E"}, {"name": "[kafka-dev] 20200113 CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis opened a new pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200126 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh opened a new pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] suneet-s commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on issue #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] clintropolis commented on a change in pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh closed pull request #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] ccaominh commented on issue #9261: Address CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200127 [GitHub] [druid] jihoonson merged pull request #9259: fix build by updating kafka client to 2.2.2 for CVE-2019-12399", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[kafka-commits] 20210921 [kafka-site] branch asf-site updated: Add CVE-2021-38153 (#375)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662%40%3Ccommits.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-12399", "datePublished": "2020-01-14T14:28:57", "dateReserved": "2019-05-28T00:00:00", "dateUpdated": "2024-08-04T23:17:40.107Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "3401C660-9782-4B4B-BB4E-30DFC0FB19A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "819D6407-01AC-4532-8D93-A6A49C7A5CAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E12F028-B0FB-4350-A5D0-7FF008CCDEE9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "2A286D95-ED8F-4B46-910C-72E76E846172", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B7D1AA39-710E-4525-B2D2-23000978B902", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "2C8F5AAD-5128-4BA6-AE55-D588686B3932", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:kafka:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2FF727C0-8925-4344-8D5A-F4F8D6E59219", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0F902CB-E268-4912-B997-0E4ADBF1C7D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "433E4433-DD4C-4AD5-A9AC-7DDDDF8E27DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "E22E42AC-3E72-476E-BF27-76FA520ECB52", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A231882-F8F5-4BB7-95C3-92A5E0F5C3C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "965EDB5A-A8E9-4ACB-AA93-610F13031A90", "versionEndIncluding": "14.4.0", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "E8A8BF67-6452-4FBA-8838-B755C2E1E38F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:*", "matchCriteriaId": "2702CE03-3983-434A-8D47-29AD9E6E85C7", "versionEndIncluding": "14.4.0", "versionStartIncluding": "14.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "64A47255-88F8-4093-88FE-07B87E4A329A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "EFFF3D18-B058-4EF9-AFAF-0264DB1CF91B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "659D80AA-A203-4EF1-8240-86DD344D7045", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "68FC2B96-5DE0-4C85-86E1-46DF9D0B4678", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "FC9A5185-F623-48C2-8364-A3303D1566DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "021014B2-DC51-481C-BCFE-5857EFBDEDDA", "versionEndIncluding": "8.1.0", "versionStartIncluding": "8.0.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA0D5775-0FC8-407E-BAAB-A8C9D6743117", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables."}, {"lang": "es", "value": "Cuando los trabajadores de Connect en Apache Kafka versiones 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1 o 2.3.0, son configurados con uno o m\u00e1s proveedores de configuraci\u00f3n, y un conector es creado y actualizado sobre este cl\u00faster Connect para usar una variable secreta externalizada en una subcadena de un valor de propiedad de configuraci\u00f3n del conector, cualquier cliente puede emitir una petici\u00f3n al mismo cl\u00faster de Connect para obtener la configuraci\u00f3n de tareas del conector y la respuesta contendr\u00e1 el secreto de texto plano en lugar de las variables secretas externalizadas."}], "id": "CVE-2019-12399", "lastModified": "2023-11-07T03:03:32.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-14T15:15:12.803", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/1"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cusers.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662%40%3Ccommits.kafka.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0939", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "kafka", "product_name": "Red Hat AMQ Streams 1", "release_date": "2020-03-23T00:00:00Z"}], "bugzilla": {"description": "kafka: Connect REST API exposes plaintext secrets in tasks endpoint", "id": "1796593", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796593"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables."], "name": "CVE-2019-12399", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "kafka", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "kafka", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "kafka", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat Process Automation 7"}], "public_date": "2020-01-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-12399\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12399"], "threat_severity": "Moderate", "upstream_fix": "kafka 2.0.2, kafka 2.1.2, kafka 2.2.2, kafka 2.3.1"}