CVE-2019-12399: Information Exposure

January 14, 2020 (updated January 27, 2020)

When Connect workers in Apache Kafka are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector’s task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.

References

nvd.nist.gov/vuln/detail/CVE-2019-12399

Detect and mitigate CVE-2019-12399 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →