Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-7653 Vulnerability in npm package snyk-broker

CVE-2023-37942 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job

CVE-2020-2162 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-2299 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking