CVE-2023-29471 – com.typesafe.akka:akka-stream-kafka

Package

Manager: maven
Name: com.typesafe.akka:akka-stream-kafka
Vulnerable Version: >=0 <4.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00032 pctl0.07485

Details

Lightbend Alpakka Kafka logs credentials on debug level Lightbend Alpakka Kafka before 4.0.2 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Metadata

Created: 2023-04-27T21:30:26Z
Modified: 2023-05-05T20:35:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-55vq-xpjf-r2xc/GHSA-55vq-xpjf-r2xc.json
CWE IDs: ["CWE-312", "CWE-532"]
Alternative ID: GHSA-55vq-xpjf-r2xc
Finding: F020
Auto approve: 1