CVE-2023-33251
https://notcve.org/view.php?id=CVE-2023-33251
When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. • https://akka.io/security/akka-http-cve-2023-05-15.html •
CVE-2023-31442
https://notcve.org/view.php?id=CVE-2023-31442
In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0. • https://akka.io/security/akka-async-dns-2023-31442.html https://lightbend.com •
CVE-2023-29471
https://notcve.org/view.php?id=CVE-2023-29471
Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor. • https://akka.io/security/alpakka-kafka-cve-2023-29471.html https://github.com/akka/alpakka-kafka/issues/1592 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2022-31023 – Dev error stack trace leaking into prod in Play Framework
https://notcve.org/view.php?id=CVE-2022-31023
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. • https://github.com/playframework/playframework/pull/11305 https://github.com/playframework/playframework/releases/tag/2.8.16 https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-31018 – Denial of service binding form from JSON in Play Framework
https://notcve.org/view.php?id=CVE-2022-31018
Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled—as it is by default—then this can crash the application process. • https://github.com/playframework/playframework/pull/11301 https://github.com/playframework/playframework/releases/tag/2.8.16 https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w • CWE-400: Uncontrolled Resource Consumption •