Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2020-2224 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

CVE-2019-10349 Vulnerability in maven package org.jenkins-ci.plugins:depgraph-view

CVE-2020-13932 Vulnerability in maven package org.apache.activemq:artemis-plugin

CVE-2018-5158 Vulnerability in maven package org.webjars.bowergithub.mozilla:pdfjs-dist

CVE-2019-10362 Vulnerability in maven package io.jenkins:configuration-as-code

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking