akka.kafka.internal.KafkaConsumerActor logs credentials on debug level

Date

2023-04-17

CVE

CVE-2023-29471

Description of Vulnerability

Credentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext when debug logging is enabled.

Severity

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Overall CVSS Score: 5.4

Impact

A person with access to service logs could gain credentials to Kafka servers.

Resolution

An allow list limiting what Kafka Consumer/Producer properties is printed was implemented, filtering out credentials.

Affected versions

alpakka-kafka up to 4.0.0

Fixed versions

alpakka-kafka 4.0.2 and later

Acknowledgements

Thanks Paweł Cembaluk for reporting the issue

References