New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
akka.kafka.internal.KafkaConsumerActor logs credentials on debug level #1592
Comments
|
This is not very good on Alpakka Kafka, but having |
|
I've now opened #1614 to make sure only non-security affecting properties are logged. |
|
The fix for this issue is released with Alpakka Kafka 4.0.2 (the 4.0.1 version had an error during the release). |
|
We've now reported this security problem as CVE-2023-29471. |
|
Will the fix be backported to 3.0.x? |
|
We do not consider this issue critical and are not planning to backport it. |
Versions used
Akka version: 2.6.20
Akka Stream Kafka version: 3.0.1
Expected Behavior
Credentials are not logged in the logs.
Actual Behavior
Credentials from org.apache.kafka.common.security.plain.PlainLoginModule are logged as plaintext.
Relevant logs
The text was updated successfully, but these errors were encountered: