Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://github.com/akka/alpakka-kafka/issues/1592

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

Related Vulnerabilities

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-spring

CVE-2020-27782 Vulnerability in maven package io.undertow:undertow-servlet

CVE-2023-4853 Vulnerability in maven package io.quarkus:quarkus-undertow

CVE-2020-27216 Vulnerability in maven package org.eclipse.jetty:jetty-webapp

CVE-2023-46998 Vulnerability in maven package org.webjars.bower:bootbox.js

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory