Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2011-5063 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2023-32999 Vulnerability in maven package com.rapid7:jenkinsci-appspider-plugin

CVE-2013-6374 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2020-1938 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2023-29515 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking