VYPR
High severityNVD Advisory· Published Jan 14, 2020· Updated Aug 4, 2024

CVE-2019-12399

CVE-2019-12399

Description

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.kafka:kafkaMaven
>= 2.0.0, < 2.0.22.0.2
org.apache.kafka:kafkaMaven
>= 2.1.0, < 2.1.22.1.2
org.apache.kafka:kafkaMaven
>= 2.2.0, < 2.2.22.2.2
org.apache.kafka:kafkaMaven
>= 2.3.0, < 2.3.12.3.1

Affected products

2

Patches

Vulnerability mechanics

References

45

News mentions

0

No linked articles in our index yet.