CVE-2023-29471: Cleartext Storage of Sensitive Information

April 27, 2023 (updated May 5, 2023)

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

References

akka.io/security/alpakka-kafka-cve-2023-29471.html
github.com/advisories/GHSA-55vq-xpjf-r2xc
github.com/akka/alpakka-kafka/issues/1592
github.com/akka/alpakka-kafka/pull/1614/commits/4011b704e93b22f6fd956aac516c7159d384644c
nvd.nist.gov/vuln/detail/CVE-2023-29471

Detect and mitigate CVE-2023-29471 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →