Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2018-17244 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2020-11987 Vulnerability in maven package org.apache.xmlgraphics:batik-svgbrowser

CVE-2019-1351 Vulnerability in npm package nodegit

CVE-2022-39248 Vulnerability in maven package org.matrix.android:matrix-android-sdk2

CVE-2014-0219 Vulnerability in maven package org.apache.karaf:org.apache.karaf.main

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking