Description
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.
Remediation
References
https://akka.io/security/alpakka-kafka-cve-2023-29471.html
https://github.com/akka/alpakka-kafka/issues/1592
Related Vulnerabilities
CVE-2023-46674 Vulnerability in maven package org.elasticsearch:elasticsearch-hadoop
CVE-2022-42125 Vulnerability in maven package com.liferay.portal:com.liferay.portal.impl
CVE-2017-8046 Vulnerability in maven package org.springframework.boot:spring-boot-starter-data-rest
CVE-2023-49652 Vulnerability in maven package org.jenkins-ci.plugins:google-compute-engine
CVE-2023-24452 Vulnerability in maven package org.jenkins-ci.plugins:testquality-updater