Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes

CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2023-52079 Vulnerability in npm package msgpackr

CVE-2014-3656 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2019-17359 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking