CVE-2019-12399 in Apache and Oracle Products
Published on January 14, 2020

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

NVD

Products Associated with CVE-2019-12399

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-12399 are published in these products:

Apache Kafka

Oracle Financial Services Analytical Applications Infrastructure

Oracle Banking Corporate Lending Process Management

Oracle Banking Credit Facilities Process Management

Oracle Banking Liquidity Management

Oracle Banking Payments

Oracle Banking Platform

Oracle Banking Supply Chain Finance

Oracle Banking Trade Finance Process Management

Oracle Flexcube Universal Banking

Oracle Banking Virtual Account Management

Oracle Communications Cloud Native Core Policy

Oracle Blockchain Platform

Affected Versions

Apache Kafka:

Version Apache Kafka 2.0.0 is affected.
Version 2.0.1 is affected.
Version 2.1.0 is affected.
Version 2.1.1 is affected.
Version 2.2.0 is affected.
Version 2.2.1 is affected.
Version 2.3.0 is affected.

Exploit Probability

EPSS

2.31%

Percentile

84.48%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2019-12399 in Apache and Oracle ProductsPublished on January 14, 2020

Products Associated with CVE-2019-12399

Affected Versions

Exploit Probability

CVE-2019-12399 in Apache and Oracle Products
Published on January 14, 2020