mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-29 17:50:34 +00:00
21 lines
1.1 KiB
Markdown
21 lines
1.1 KiB
Markdown
|
### [CVE-2019-12399](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399)
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
### Description
|
||
|
|
|
||
|
|
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
|
||
|
|
|
||
|
|
### POC
|
||
|
|
|
||
|
|
#### Reference
|
||
|
|
- https://www.oracle.com//security-alerts/cpujul2021.html
|
||
|
|
- https://www.oracle.com/security-alerts/cpuApr2021.html
|
||
|
|
- https://www.oracle.com/security-alerts/cpuapr2022.html
|
||
|
|
- https://www.oracle.com/security-alerts/cpujan2021.html
|
||
|
|
|
||
|
|
#### Github
|
||
|
|
No PoCs found on GitHub currently.
|
||
|
|
|