Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-12399

Опубликовано: 14 янв. 2020
Источник: nvd
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:kafka:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:2.3.0:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*
Версия от 14.0.0 (включая) до 14.4.0 (включая)
cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:*:*:*:*:*:*:*:*
Версия от 14.2.0 (включая) до 14.4.0 (включая)
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
Версия до 21.1.2 (исключая)
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
Версия от 8.0.6 (включая) до 8.1.0 (включая)
cpe:2.3:a:oracle:flexcube_universal_banking:14.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 84%
0.02307
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-319

Связанные уязвимости

redhat логотип

CVE-2019-12399

CVSS3: 7.5
redhat
около 6 лет назад

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

debian логотип

CVE-2019-12399

CVSS3: 7.5
debian
около 6 лет назад

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0 ...

github логотип

GHSA-6jmf-mxwf-r3jc

CVSS3: 7.5
github
больше 5 лет назад

Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka

fstec логотип

BDU:2021-01001

CVSS3: 7.5
fstec
около 6 лет назад

Уязвимость компонента Connect workers диспетчера сообщений Apache Kafka, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 84%
0.02307
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-319