CVE-2019-12399

Published Jan 14, 2020

Last updated a year ago

CVSS high 7.5

Overview

Description: When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
Source: security@apache.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-319

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3401C660-9782-4B4B-BB4E-30DFC0FB19A6"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "819D6407-01AC-4532-8D93-A6A49C7A5CAC"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E12F028-B0FB-4350-A5D0-7FF008CCDEE9"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2A286D95-ED8F-4B46-910C-72E76E846172"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B7D1AA39-710E-4525-B2D2-23000978B902"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2C8F5AAD-5128-4BA6-AE55-D588686B3932"
          },
          {
            "criteria": "cpe:2.3:a:apache:kafka:2.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2FF727C0-8925-4344-8D5A-F4F8D6E59219"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D0F902CB-E268-4912-B997-0E4ADBF1C7D5"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "433E4433-DD4C-4AD5-A9AC-7DDDDF8E27DB"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E22E42AC-3E72-476E-BF27-76FA520ECB52"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1A231882-F8F5-4BB7-95C3-92A5E0F5C3C1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "965EDB5A-A8E9-4ACB-AA93-610F13031A90",
            "versionEndIncluding": "14.4.0",
            "versionStartIncluding": "14.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E8A8BF67-6452-4FBA-8838-B755C2E1E38F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2702CE03-3983-434A-8D47-29AD9E6E85C7",
            "versionEndIncluding": "14.4.0",
            "versionStartIncluding": "14.2.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64A47255-88F8-4093-88FE-07B87E4A329A"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFFF3D18-B058-4EF9-AFAF-0264DB1CF91B"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "659D80AA-A203-4EF1-8240-86DD344D7045"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "68FC2B96-5DE0-4C85-86E1-46DF9D0B4678"
          },
          {
            "criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7",
            "versionEndExcluding": "21.1.2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FC9A5185-F623-48C2-8364-A3303D1566DD"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "021014B2-DC51-481C-BCFE-5857EFBDEDDA",
            "versionEndIncluding": "8.1.0",
            "versionStartIncluding": "8.0.6"
          },
          {
            "criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DA0D5775-0FC8-407E-BAAB-A8C9D6743117"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References