CVE-2023-29471: 
Java vulnerability analysis and mitigation

Lightbend Alpakka Kafka before version 5.0.0 contains a security vulnerability where configuration details, including credentials, are exposed through debug logging. The vulnerability, identified as CVE-2023-29471, specifically occurs in the akka.kafka.internal.KafkaConsumerActor component when plain cleartext login is configured (NVD, AttackerKB).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from the KafkaConsumerActor component logging its configuration as debug information, which can include sensitive authentication credentials when plain cleartext login is configured. The vulnerability is categorized as CWE-312 (Cleartext Storage of Sensitive Information) (NVD).

The primary impact of this vulnerability is the potential exposure of authentication credentials through log files. When debug logging is enabled, any credentials configured for plain cleartext login would be visible in the logs, potentially leading to unauthorized access if these logs are compromised (FortiGuard).

The recommended mitigation is to upgrade to Alpakka Kafka version 4.0.2 or later. For systems that cannot be immediately upgraded, it is advisable to disable debug logging for the affected component to prevent credential exposure (FortiGuard).