Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://github.com/akka/alpakka-kafka/issues/1592

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

Related Vulnerabilities

CVE-2023-46651 Vulnerability in maven package io.jenkins.plugins:warnings-ng

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-services

CVE-2020-2138 Vulnerability in maven package org.jenkins-ci.plugins:cobertura

CVE-2020-27222 Vulnerability in maven package org.eclipse.californium:scandium

CVE-2019-20365 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory