Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2023-45143 Vulnerability in npm package undici

CVE-2022-37865 Vulnerability in maven package org.apache.ivy:ivy

CVE-2017-1000387 Vulnerability in maven package org.jenkins-ci.plugins:build-publisher

CVE-2022-34212 Vulnerability in maven package org.jenkins-ci.plugins:vmware-vrealize-orchestrator

CVE-2021-21622 Vulnerability in maven package io.jenkins.plugins:artifact-repository-parameter

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking