GHSA-55vq-xpjf-r2xc

Source

https://github.com/advisories/GHSA-55vq-xpjf-r2xc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-55vq-xpjf-r2xc/GHSA-55vq-xpjf-r2xc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-55vq-xpjf-r2xc

Aliases

CVE-2023-29471

Published

2023-04-27T21:30:26Z

Modified

2025-09-30T18:58:00.090468Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Lightbend Alpakka Kafka logs credentials on debug level

Details

Lightbend Alpakka Kafka before 4.0.2 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Database specific

{
    "nvd_published_at": "2023-04-27T21:15:10Z",
    "cwe_ids": [
        "CWE-312",
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2023-04-27T23:53:28Z",
    "github_reviewed": true
}

References

Affected packages

Maven

com.typesafe.akka:akka-stream-kafka_3

Package

Name: com.typesafe.akka:akka-stream-kafka_3; View open source insights on deps.dev
Purl: pkg:maven/com.typesafe.akka/akka-stream-kafka_3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2

Affected versions

4.*

4.0.1

com.typesafe.akka:akka-stream-kafka_2.13

Package

Name: com.typesafe.akka:akka-stream-kafka_2.13; View open source insights on deps.dev
Purl: pkg:maven/com.typesafe.akka/akka-stream-kafka_2.13

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2

Affected versions

1.*

1.0.4

1.0.5

1.1.0-RC1

1.1.0-RC2

1.1.0

2.*

2.0.0-M2

2.0.0-RC1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0-M1

2.1.0-RC1

2.1.0

2.1.1

3.*

3.0.0-RC1

3.0.0

3.0.1

3.1.0-M1

3.1.0-M2

4.*

4.0.0

4.0.1

com.typesafe.akka:akka-stream-kafka_2.12

Package

Name: com.typesafe.akka:akka-stream-kafka_2.12; View open source insights on deps.dev
Purl: pkg:maven/com.typesafe.akka/akka-stream-kafka_2.12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2

Affected versions

0.*

0.13

0.14

0.15

0.16

0.17

0.18

0.19

0.20

0.21

0.21.1

0.22

1.*

1.0-M1

1.0-RC1

1.0-RC2

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0-RC1

1.1.0-RC2

1.1.0

2.*

2.0.0-M2

2.0.0-RC1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0-M1

2.1.0-RC1

2.1.0

2.1.1

3.*

3.1.0-M1

3.1.0-M2

4.*

4.0.0

4.0.1

com.typesafe.akka:akka-stream-kafka_2.11

Package

Name: com.typesafe.akka:akka-stream-kafka_2.11; View open source insights on deps.dev
Purl: pkg:maven/com.typesafe.akka/akka-stream-kafka_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.11-M1

0.11-M2

0.11-M3

0.11-M4

0.11-RC1

0.11-RC2

0.11

0.12

0.13

0.14

0.15

0.16

0.17

0.18

0.19

0.20

0.21

0.21.1

0.22

1.*

1.0-M1

1.0-RC1

1.0-RC2

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0-RC1

1.1.0-RC2

1.1.0

2.*

2.0.0-M1

2.0.0-M2

2.0.0-RC1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

Database specific

last_known_affected_version_range

"< 4.0.2"