CVE-2023-45865: Akka logs environment variables
94 views
Skip to first unread message
patrik....@gmail.com
Oct 31, 2023, 10:52:47 AM10/31/23
to Akka Security
Date: 2023-10-31
CVE ID: CVE-2023-45865
Description of Vulnerability
Environment variable values that are included in configuration are logged as plaintext when log-config-on-start is enabled in Akka. Such environment variables may contain secrets that should not be revealed.
Severity
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Overall CVSS Score: 5.4
Impact
A person with access to service logs could gain credentials.
Resolution
Environment variable values from config are not logged.
Affected versions
Akka up to 2.8.5
CVE ID: CVE-2023-45865
Description of Vulnerability
Environment variable values that are included in configuration are logged as plaintext when log-config-on-start is enabled in Akka. Such environment variables may contain secrets that should not be revealed.
Severity
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Overall CVSS Score: 5.4
Impact
A person with access to service logs could gain credentials.
Resolution
Environment variable values from config are not logged.
Affected versions
Akka up to 2.8.5
Fixed versions
Akka 2.9.0 and later
Akka 2.9.0 and later
Reply all
Reply to author
Forward
0 new messages