Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2023-34055 Vulnerability in maven package org.springframework.boot:spring-boot-actuator

CVE-2020-1959 Vulnerability in maven package org.apache.syncope.client:syncope-client-enduser

CVE-2023-34034 Vulnerability in maven package org.springframework.security:spring-security-config

CVE-2017-1000353 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2013-6374 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking