Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2023-33945 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2018-17195 Vulnerability in maven package org.apache.nifi:nifi-web-api
CVE-2017-12624 Vulnerability in maven package org.apache.cxf:cxf-rt-frontend-jaxrs
CVE-2019-10425 Vulnerability in maven package org.jvnet.hudson.plugins:gcal
CVE-2017-3589 Vulnerability in maven package mysql:mysql-connector-java