CVE-2019-12399

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 2.0.0 through 2.3.0

Description The issue is related to the transmission of data in plain text, allowing an unauthorized party to gain access to protected information. When Connect workers in Apache Kafka are configured with one or more config providers and a connector is created or updated to use an externalized secret variable, any client can issue a request to obtain the connector's task configuration, and the response will contain the plaintext secret rather than the externalized secrets variables.

Recommendations For Apache Kafka versions 2.0.0 through 2.3.0, consider disabling the use of externalized secret variables in connector configuration property values until a patch is available. Restrict access to the Connect cluster to minimize the risk of exploitation. Avoid using externalized secret variables in substrings of connector configuration property values until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.