CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31023 – Dev error stack trace leaking into prod in Play Framework
https://notcve.org/view.php?id=CVE-2022-31023
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. • https://github.com/playframework/playframework/pull/11305 https://github.com/playframework/playframework/releases/tag/2.8.16 https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31018 – Denial of service binding form from JSON in Play Framework
https://notcve.org/view.php?id=CVE-2022-31018
Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled—as it is by default—then this can crash the application process. • https://github.com/playframework/playframework/pull/11301 https://github.com/playframework/playframework/releases/tag/2.8.16 https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28923
https://notcve.org/view.php?id=CVE-2020-28923
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON. Se detectó un problema en Play Framework versiones 2.8.0 hasta 2.8.4. Las cargas útiles JSON cuidadosamente diseñadas enviadas como un campo de formulario conllevan a una Amplificación de Datos. • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-28923-ImproperRemovalofSensitiveInformationBeforeStorageorTransfer •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26882
https://notcve.org/view.php?id=CVE-2020-26882
In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. En Play Framework versiones 2.6.0 hasta 2.8.2, una amplificación de datos puede ocurrir cuando una aplicación acepta una entrada JSON multipart/form-data • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-27196
https://notcve.org/view.php?id=CVE-2020-27196
An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. Se detectó un problema en PlayJava en Play Framework versiones 2.6.0 hasta 2.8.2. El análisis del cuerpo de peticiones HTTP analiza enérgicamente una carga útil dado un encabezado Content-Type. • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow • CWE-787: Out-of-bounds Write •