Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2017-1000392 Vulnerability in maven package org.jenkins-ci.main:jenkins-war

CVE-2023-4853 Vulnerability in maven package io.quarkus:quarkus-vertx-http

CVE-2020-2153 Vulnerability in maven package org.jenkins-ci.plugins:backlog

CVE-2020-6428 Vulnerability in maven package org.webjars.npm:electron

CVE-2016-7103 Vulnerability in npm package jquery-ui

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking