CVE-2019-12399

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2020/01/14/1	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E
https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662%40%3Ccommits.kafka.apache.org%3E
https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262%40%3Ccommits.druid.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:kafka:2.0.0:::::::*
	cpe:2.3:a:apache:kafka:2.0.1:::::::*
	cpe:2.3:a:apache:kafka:2.1.0:::::::*
	cpe:2.3:a:apache:kafka:2.1.1:::::::*
	cpe:2.3:a:apache:kafka:2.2.0:::::::*
	cpe:2.3:a:apache:kafka:2.2.1:::::::*
	cpe:2.3:a:apache:kafka:2.3.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_liquidity_management::::::::
	cpe:2.3:a:oracle:banking_payments:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance::::::::
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:::::::*
	cpe:2.3:a:oracle:blockchain_platform::::::::
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:::::::*

History

No history.

Information

Published : 2020-01-14 15:15

Updated : 2023-11-07 03:03

NVD link : CVE-2019-12399

Mitre link : CVE-2019-12399

CVE.ORG link : CVE-2019-12399

JSON object : View

Products Affected

oracle

banking_liquidity_management
banking_supply_chain_finance
banking_platform
communications_cloud_native_core_policy
banking_virtual_account_management
banking_payments
banking_credit_facilities_process_management
financial_services_analytical_applications_infrastructure
banking_trade_finance_process_management
banking_corporate_lending_process_management
blockchain_platform
flexcube_universal_banking

apache

kafka

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-12399", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-01-14T15:15:12.803", "references": [{"url": "http://www.openwall.com/lists/oss-security/2020/01/14/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r0e3a613705d70950aca2bfe9a6265c87503921852d9a3dbce512ca9f%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r2d390dec5f360ec8aa294bef18e1a4385e2a3698d747209216f5a48b%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r3154f5adbc905f1f9012a92240c8e00a96628470cc819453b9606d0e%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r3203d7f25a6ca56ff3e48c43a6aa7cb60b8e5d57d0eed9f76dc2b7a8%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r47c225db363d1ee2c18c4b3b2f51b63a9789f78c7fa602e5976ecd05%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r4b20b40c40d4a4c641e2ef4228098a57935e5782bfdfdf3650e48265%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r4d9e87cdae99e98d7b244cfa53d9d2532d368d3a187fbc87c493dcbe%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r56eb055b544931451283fee51f7e1f5b8ebd3085fed7d77aaba504c9%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cannounce.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cdev.kafka.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r6af5ed95726874e9add022955be83c192428c248d1c9a1914aff89d9%40%3Cusers.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r6fa1cff4786dcef2ddd1d717836ef123c878e8321c24855bad24ae0f%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r801c68bf987931f35d2e24ecc99f3aa2850fdd8f5ef15fe6c60fecf3%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r9871a4215b621c1d09deee5eba97f0f44fde01b4363deb1bed0dd160%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rda253155601968331b5cf0da4f273813bbd91843c2568a8495d1c662%40%3Ccommits.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rde947ee866de6687bc51cdc8dfa6d7e6b3ad4ce8c708c344f773e6dc%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rfe90ca0463c199b99c2921410639aed53a172ea8b733eab0dc776262%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables."}, {"lang": "es", "value": "Cuando los trabajadores de Connect en Apache Kafka versiones 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1 o 2.3.0, son configurados con uno o m\u00e1s proveedores de configuraci\u00f3n, y un conector es creado y actualizado sobre este cl\u00faster Connect para usar una variable secreta externalizada en una subcadena de un valor de propiedad de configuraci\u00f3n del conector, cualquier cliente puede emitir una petici\u00f3n al mismo cl\u00faster de Connect para obtener la configuraci\u00f3n de tareas del conector y la respuesta contendr\u00e1 el secreto de texto plano en lugar de las variables secretas externalizadas."}], "lastModified": "2023-11-07T03:03:32.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3401C660-9782-4B4B-BB4E-30DFC0FB19A6"}, {"criteria": "cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "819D6407-01AC-4532-8D93-A6A49C7A5CAC"}, {"criteria": "cpe:2.3:a:apache:kafka:2.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E12F028-B0FB-4350-A5D0-7FF008CCDEE9"}, {"criteria": "cpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A286D95-ED8F-4B46-910C-72E76E846172"}, {"criteria": "cpe:2.3:a:apache:kafka:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7D1AA39-710E-4525-B2D2-23000978B902"}, {"criteria": "cpe:2.3:a:apache:kafka:2.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C8F5AAD-5128-4BA6-AE55-D588686B3932"}, {"criteria": "cpe:2.3:a:apache:kafka:2.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2FF727C0-8925-4344-8D5A-F4F8D6E59219"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0F902CB-E268-4912-B997-0E4ADBF1C7D5"}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78"}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "433E4433-DD4C-4AD5-A9AC-7DDDDF8E27DB"}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E22E42AC-3E72-476E-BF27-76FA520ECB52"}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61"}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A231882-F8F5-4BB7-95C3-92A5E0F5C3C1"}, {"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "965EDB5A-A8E9-4ACB-AA93-610F13031A90", "versionEndIncluding": "14.4.0", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8A8BF67-6452-4FBA-8838-B755C2E1E38F"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA"}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2702CE03-3983-434A-8D47-29AD9E6E85C7", "versionEndIncluding": "14.4.0", "versionStartIncluding": "14.2.0"}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64A47255-88F8-4093-88FE-07B87E4A329A"}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8"}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFFF3D18-B058-4EF9-AFAF-0264DB1CF91B"}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "659D80AA-A203-4EF1-8240-86DD344D7045"}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80"}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68FC2B96-5DE0-4C85-86E1-46DF9D0B4678"}, {"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2"}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC9A5185-F623-48C2-8364-A3303D1566DD"}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "021014B2-DC51-481C-BCFE-5857EFBDEDDA", "versionEndIncluding": "8.1.0", "versionStartIncluding": "8.0.6"}, {"criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA0D5775-0FC8-407E-BAAB-A8C9D6743117"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-12399

7.5^/10

5.0^/10

Attach tags to `CVE-2019-12399`