Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2023-33945 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2018-17195 Vulnerability in maven package org.apache.nifi:nifi-web-api

CVE-2017-12624 Vulnerability in maven package org.apache.cxf:cxf-rt-frontend-jaxrs

CVE-2019-10425 Vulnerability in maven package org.jvnet.hudson.plugins:gcal

CVE-2017-3589 Vulnerability in maven package mysql:mysql-connector-java

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking