CVE-2019-12399
high-risk
Published 2020-01-14
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
Do I need to act?
~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Kafka
Kafka
Kafka
Kafka
Kafka
Kafka
Kafka
Banking Liquidity Management
References (48)
and 28 more references
53
/ 100
high-risk
Severity
26/34 · High
Exploitability
5/34 · Minimal
Exposure
22/34 · High