Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2019-10334 Vulnerability in maven package org.jenkins-ci.plugins:electricflow
CVE-2018-1999044 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-6950 Vulnerability in maven package org.glassfish:jakarta.faces
CVE-2020-2228 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth