Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-2253 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2016-10365 Vulnerability in npm package kibana

CVE-2015-5348 Vulnerability in maven package org.apache.camel:camel-http-common

CVE-2013-2067 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking