Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://github.com/akka/alpakka-kafka/issues/1592

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

Related Vulnerabilities

CVE-2023-48241 Vulnerability in maven package org.xwiki.platform:xwiki-platform-search-solr-query

CVE-2023-46131 Vulnerability in maven package org.grails:grails-encoder

CVE-2019-14653 Vulnerability in npm package editor.md

CVE-2021-20323 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2023-24454 Vulnerability in maven package org.jenkins-ci.plugins:testquality-updater

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory