2023-04-17
CVE-2023-29471
Credentials from org.apache.kafka.common.security.plain.PlainLoginModule
are logged as plaintext
when debug logging is enabled.
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Overall CVSS Score: 5.4
A person with access to service logs could gain credentials to Kafka servers.
An allow list limiting what Kafka Consumer/Producer properties is printed was implemented, filtering out credentials.
alpakka-kafka
up to 4.0.0alpakka-kafka
4.0.2 and laterThanks Paweł Cembaluk for reporting the issue