Information Exposure Affecting org.apache.kafka:kafka package, versions [2.0.0,2.0.2)[2.1.0,2.1.2)[2.3.0,2.3.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (65th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHEKAFKA-541854
  • published15 Jan 2020
  • disclosed13 Jan 2020
  • creditOleksandr Diachenko

Introduced: 13 Jan 2020

CVE-2019-12399  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade org.apache.kafka:kafka to version 2.0.2, 2.1.2, 2.3.1 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure. Any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalised secrets variables.

CVSS Base Scores

version 3.1