Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring

CVE-2023-28669 Vulnerability in maven package org.jenkins-ci.plugins:jacoco

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-cdc-mysql-processors

CVE-2022-22984 Vulnerability in npm package snyk

CVE-2022-41226 Vulnerability in maven package com.compuware.jenkins:compuware-common-configuration

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking