Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2022-26594 Vulnerability in maven package com.liferay:com.liferay.dynamic.data.mapping.form.field.type

CVE-2017-0783 Vulnerability in maven package org.apache.openmeetings:openmeetings-web

CVE-2019-1003091 Vulnerability in maven package com.soasta.jenkins:cloudtest

CVE-2023-26491 Vulnerability in npm package rsshub

CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking