Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2019-10334 Vulnerability in maven package org.jenkins-ci.plugins:electricflow

CVE-2018-1999044 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-6950 Vulnerability in maven package org.glassfish:jakarta.faces

CVE-2023-29510 Vulnerability in maven package org.xwiki.platform:xwiki-platform-localization-source-wiki

CVE-2020-2228 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking