Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2021-43980 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2022-27166 Vulnerability in maven package org.apache.jspwiki:jspwiki-main

CVE-2022-23616 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2018-1062 Vulnerability in maven package org.ovirt.engine.core:vdsbroker

CVE-2018-0114 Vulnerability in npm package node-jose

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking