Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2015-5211 Vulnerability in maven package org.springframework:spring-web

CVE-2014-0227 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2023-40342 Vulnerability in maven package org.jenkins-ci.plugins:flaky-test-handler

CVE-2012-5633 Vulnerability in maven package org.apache.cxf:cxf-bundle

CVE-2012-2379 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking