CVE-2023-29471: Alpakka Kafka logging credentials at debug
29 views
Skip to first unread message
johan.andren
Apr 27, 2023, 9:36:25 AM4/27/23
to Akka Security
Date
2023-04-17
CVECVE-2023-29471
Description of VulnerabilityCredentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext when debug logging is enabled.
SeverityAV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Overall CVSS Score: 5.4
ImpactA person with access to service logs could gain credentials to Kafka servers.
ResolutionAn allow list limiting what Kafka Consumer/Producer properties is printed was implemented, filtering out credentials.
Affected versions- alpakka-kafka up to 4.0.0
- alpakka-kafka 4.0.2 and later
Thanks Paweł Cembaluk for reporting the issue
ReferencesReply all
Reply to author
Forward
0 new messages