Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://github.com/akka/alpakka-kafka/issues/1592

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

Related Vulnerabilities

CVE-2020-10199 Vulnerability in maven package org.sonatype.nexus:nexus-extdirect

CVE-2018-20676 Vulnerability in maven package org.webjars.bower:bootstrap

CVE-2023-20866 Vulnerability in maven package org.springframework.session:spring-session-core

CVE-2023-6394 Vulnerability in maven package io.quarkus:quarkus-smallrye-graphql

CVE-2023-32993 Vulnerability in maven package io.jenkins.plugins:miniorange-saml-sp

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory