Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2022-41249 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient

CVE-2019-10433 Vulnerability in maven package com.ztbsuper:dingding-notifications

CVE-2020-11998 Vulnerability in maven package org.apache.activemq:activemq-broker

CVE-2018-17247 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking