Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://github.com/akka/alpakka-kafka/issues/1592

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

Related Vulnerabilities

CVE-2018-5158 Vulnerability in maven package org.webjars.bower:pdfjs-dist

CVE-2020-2221 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-14838 Vulnerability in maven package org.wildfly.core:wildfly-host-controller

CVE-2017-18239 Vulnerability in maven package com.jason-goodwin:authentikat-jwt_2.12

CVE-2021-42550 Vulnerability in maven package ch.qos.logback:logback-core

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory