Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2021-43297 Vulnerability in maven package com.alibaba:hessian-lite

CVE-2019-10424 Vulnerability in maven package com.technicolor:eloyente

CVE-2023-50730 Vulnerability in maven package org.typelevel:grackle-core_native0.4_3

CVE-2019-16557 Vulnerability in maven package com.redgate.plugins.redgatesqlci:redgate-sql-ci

CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap-sass

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking