Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-2124 Vulnerability in maven package com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

CVE-2021-22047 Vulnerability in maven package org.springframework.data:spring-data-rest-core

CVE-2020-7011 Vulnerability in npm package @elastic/app-search-javascript

CVE-2022-40634 Vulnerability in maven package org.craftercms:craftercms

CVE-2023-25158 Vulnerability in maven package org.geotools.jdbc:gt-jdbc-mysql

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking