Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2023-29203 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2018-19837 Vulnerability in maven package org.webjars.npm:node-sass

CVE-2018-1999040 Vulnerability in maven package org.csanchez.jenkins.plugins:kubernetes

CVE-2015-5348 Vulnerability in maven package org.apache.camel:camel-http-common

CVE-2019-17195 Vulnerability in maven package com.nimbusds:nimbus-jose-jwt

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking