Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2021-21611 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-50764 Vulnerability in maven package org.jenkins-ci.plugins:scriptler

CVE-2023-30547 Vulnerability in npm package vm2

CVE-2023-37913 Vulnerability in maven package org.xwiki.platform:xwiki-platform-office-importer

CVE-2021-21165 Vulnerability in maven package org.webjars.npm:electron

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking