kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmcc...@apache.org
Subject [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250)
Date Wed, 15 Jan 2020 17:13:58 GMT
This is an automated email from the ASF dual-hosted git repository.

cmccabe pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 0bb229d  Add CVE-2019-12399 (#250)
0bb229d is described below

commit 0bb229dc655b5e3b415bf54c30914304943d0eec
Author: Randall Hauch <rhauch@gmail.com>
AuthorDate: Wed Jan 15 11:13:52 2020 -0600

    Add CVE-2019-12399 (#250)
    
    Reviewers: Colin P. McCabe <cmccabe@apache.org>
---
 cve-list.html | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/cve-list.html b/cve-list.html
index 5c797df..d88d765 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -8,6 +8,40 @@
 
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
 
+<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
+Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2>
+
+<p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or
2.3.0 are
+configured with one or more config providers, and a connector is created/updated on 
+that Connect cluster to use an externalized secret variable in a substring of a 
+connector configuration property value (the externalized secret variable is not the
+whole configuration property value), then any client can issue a request to 
+the same Connect cluster to obtain the connector's task configurations and 
+the response will contain the plaintext secret rather than the externalized secrets variable.
+Users should upgrade to 2.0.2 or higher, 2.1.2 or higher, 2.2.2 or higher, or 2.3.1 or higher
+where this vulnerability has been fixed.</p>
+
+<table class="data-table">
+<tbody>
+  <tr>
+    <td>Versions affected</td>
+    <td>2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0</td>
+  </tr>
+  <tr>
+    <td>Fixed versions</td>
+    <td>2.0.2, 2.1.2, 2.2.2, 2.3.1 and later</td>
+  </tr>
+  <tr>
+    <td>Impact</td>
+    <td>This issue could result in exposing externalized connector secrets.</td>
+  </tr>
+  <tr>
+    <td>Issue announced</td>
+    <td>13 Jan 2020</td>
+  </tr>
+</tbody>
+</table>
+
 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
 Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
 <p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually


Mime
View raw message