CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0 Description: When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value (the externalized secret variable is not the whole configuration property value), then any client can issue a request to the same Connect cluster to obtain the connector's task configurations and the response will contain the plaintext secret rather than the externalized secrets variable. Mitigation: Apache Kafka Connect users should upgrade to one of the following versions where this vulnerability has been fixed: - 2.0.2 or higher - 2.1.2 or higher - 2.2.2 or higher - 2.3.1 or higher Acknowledgements: This issue was first reported by Oleksandr Diachenko. Regards, Randall