Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2022-36905 Vulnerability in maven package eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-1003026 Vulnerability in maven package org.jenkins-ci.plugins:mattermost

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:sinatra-chef-builder

CVE-2020-2257 Vulnerability in maven package org.jenkins-ci.plugins:validating-string-parameter

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking