Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap
CVE-2022-23618 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-31103 Vulnerability in maven package org.apache.inlong:manager-web
CVE-2020-2298 Vulnerability in maven package org.jenkins-ci.plugins:nerrvana-plugin
CVE-2022-20612 Vulnerability in maven package org.jenkins-ci.main:jenkins-core