Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2023-29215 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc
CVE-2023-38503 Vulnerability in npm package directus
CVE-2020-2240 Vulnerability in maven package org.jenkins-ci.plugins:database
CVE-2023-32989 Vulnerability in maven package org.jenkins-ci.plugins:azure-vm-agents
CVE-2017-5641 Vulnerability in maven package org.apache.flex.blazeds:blazeds