Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-15087 Vulnerability in maven package io.prestosql:presto-main

CVE-2020-13932 Vulnerability in maven package org.apache.activemq:artemis-plugin

CVE-2017-5929 Vulnerability in maven package ch.qos.logback:logback-classic

CVE-2015-1813 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2010-1157 Vulnerability in maven package tomcat:catalina

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking