Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2019-11269 Vulnerability in maven package org.springframework.security.oauth:spring-security-oauth2

CVE-2019-10409 Vulnerability in maven package hudson.plugins:project-inheritance

CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2019-10404 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-13931 Vulnerability in maven package org.apache.tomee:openejb-loader

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking