Bugzilla – Bug 1160854
VUL-0: CVE-2019-12399: kafka: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint
Last modified: 2021-08-31 14:59:49 UTC
CVE-2019-12399 When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value (the externalized secret variable is not the whole configuration property value), then any client can issue a request to the same Connect cluster to obtain the connector's task configurations and the response will contain the plaintext secret rather than the externalized secrets variable. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12399 http://seclists.org/oss-sec/2020/q1/4
Versions Affected: Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0 Mitigation: Apache Kafka Connect users should upgrade to one of the following versions where this vulnerability has been fixed: - 2.0.2 or higher - 2.1.2 or higher - 2.2.2 or higher - 2.3.1 or higher
SOC9/8/7 ship with a much older version of Kafka so this CVE does not apply Information for package kafka: ------------------------------ Repository : Cloud Name : kafka Version : 0.10.2.2-1.1 Arch : x86_64 Vendor : SUSE LLC <https://www.suse.com/> Support Level : Level 3 Installed Size : 41.1 MiB Installed : Yes Status : up-to-date Source package : kafka-0.10.2.2-1.1.src Summary : Apache Kafka Server Description : Security please verify and close.
lets consider fixed upstream