Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2017-5662 Vulnerability in maven package org.apache.xmlgraphics:batik-rasterizer

CVE-2023-30535 Vulnerability in maven package net.snowflake:snowflake-jdbc

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-main

CVE-2023-22832 Vulnerability in maven package org.apache.nifi:nifi-ccda-processors

CVE-2023-32978 Vulnerability in maven package org.jenkins-ci.plugins:ldap

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking