Akka CVE-2023-33251


A recent security check has flagged akka-http/10.2.7 with the following CVE

Any updates on when a new version will be released ?

Also i would like to suppress the headers that presents the akka version to the browser. I can see the topic here Disable akka-http version being returned, however i cant see away through IaC to add this. I am reluctant to do anything manually as autoscaling/rebuilding will just remove the change. Can someone point me in the right direction ?

FYI we are running in AWS self hosted using the Terraform modules provided by Snowplow.

Hi @Ashley_Taylor,

We are not using FileUploadDirectives in the Collector, so I believe we are not impacted by this vulnerability.

As a side note, we are working on a new version of the Collector that does not use Akka HTTP — stay tuned for a release in the next weeks :slight_smile:

Cheers @stanch thats good to know.

Any ideas on how to suppress the version header without manually changing it ?