2023-04-17
CVE-2023-29471
Credentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext
when debug logging is enabled.
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Overall CVSS Score: 5.4
A person with access to service logs could gain credentials to Kafka servers.
An allow list limiting what Kafka Consumer/Producer properties is printed was implemented, filtering out credentials.
alpakka-kafka up to 4.0.0alpakka-kafka 4.0.2 and laterThanks Paweł Cembaluk for reporting the issue