Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring
CVE-2011-1088 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-4759 Vulnerability in maven package org.eclipse.jgit:org.eclipse.jgit
CVE-2015-1806 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2015-5346 Vulnerability in maven package org.apache.tomcat:tomcat-catalina