Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2014-0363 Vulnerability in maven package org.igniterealtime.smack:smack-core

CVE-2022-38370 Vulnerability in maven package org.apache.iotdb:iotdb-grafana-connector

CVE-2018-1000175 Vulnerability in maven package org.jenkins-ci.plugins:htmlpublisher

CVE-2015-8855 Vulnerability in maven package org.webjars.npm:semver

CVE-2017-1000503 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking