CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33251
https://notcve.org/view.php?id=CVE-2023-33251
21 May 2023 — When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. • https://akka.io/security/akka-http-cve-2023-05-15.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31442
https://notcve.org/view.php?id=CVE-2023-31442
11 May 2023 — In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation... • https://akka.io/security/akka-async-dns-2023-31442.html •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29471
https://notcve.org/view.php?id=CVE-2023-29471
27 Apr 2023 — Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor. • https://akka.io/security/alpakka-kafka-cve-2023-29471.html • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31023 – Dev error stack trace leaking into prod in Play Framework
https://notcve.org/view.php?id=CVE-2022-31023
02 Jun 2022 — Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. • https://github.com/playframework/playframework/pull/11305 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31018 – Denial of service binding form from JSON in Play Framework
https://notcve.org/view.php?id=CVE-2022-31018
02 Jun 2022 — Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `O... • https://github.com/playframework/playframework/pull/11301 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23339 – HTTP Request Smuggling
https://notcve.org/view.php?id=CVE-2021-23339
17 Feb 2021 — This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. Esto afecta a todas las versiones anteriores a 10.1.14 y desde la versión 10.2.0 a la versión 10.2.4 del paquete com.typesafe.akka:akka-http-core. Este permite múltiples encabezados Transfer-Encoding • https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28923
https://notcve.org/view.php?id=CVE-2020-28923
03 Dec 2020 — An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON. Se detectó un problema en Play Framework versiones 2.8.0 hasta 2.8.4. Las cargas útiles JSON cuidadosamente diseñadas enviadas como un campo de formulario conllevan a una Amplificación de Datos. • https://www.playframework.com/security/vulnerability •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26882
https://notcve.org/view.php?id=CVE-2020-26882
06 Nov 2020 — In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. En Play Framework versiones 2.6.0 hasta 2.8.2, una amplificación de datos puede ocurrir cuando una aplicación acepta una entrada JSON multipart/form-data • https://www.playframework.com/security/vulnerability • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-27196
https://notcve.org/view.php?id=CVE-2020-27196
06 Nov 2020 — An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. Se detectó un problema en PlayJava en Play Framework versiones 2.6.0 hasta 2.8.2. El análisis del cuerpo de peticiones HTTP analiza enérgicamente una carga útil dado un encabezado Content-Type. • https://www.playframework.com/security/vulnerability • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26883
https://notcve.org/view.php?id=CVE-2020-26883
06 Nov 2020 — In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. En Play Framework versiones 2.6.0 hasta 2.8.2, el consumo de la pila puede ocurrir debido a una recursividad ilimitada durante el análisis de documentos JSON diseñados • https://www.playframework.com/security/vulnerability • CWE-674: Uncontrolled Recursion •