Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2019-17563 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty.ee9:jetty-ee9-servlets
CVE-2021-45457 Vulnerability in maven package org.apache.kylin:kylin-server
CVE-2023-34054 Vulnerability in maven package io.projectreactor.netty:reactor-netty-http
CVE-2018-1114 Vulnerability in maven package io.undertow:undertow-core