Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring

CVE-2011-1088 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2023-4759 Vulnerability in maven package org.eclipse.jgit:org.eclipse.jgit

CVE-2015-1806 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2015-5346 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking