Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2015-0227 Vulnerability in maven package org.apache.wss4j:wss4j-ws-security-dom

CVE-2014-8152 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2020-1694 Vulnerability in npm package keycloak-connect

CVE-2023-43496 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-38370 Vulnerability in maven package org.apache.iotdb:iotdb-grafana-connector

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking