CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31023 – Dev error stack trace leaking into prod in Play Framework
https://notcve.org/view.php?id=CVE-2022-31023
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. • https://github.com/playframework/playframework/pull/11305 https://github.com/playframework/playframework/releases/tag/2.8.16 https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26882
https://notcve.org/view.php?id=CVE-2020-26882
In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. En Play Framework versiones 2.6.0 hasta 2.8.2, una amplificación de datos puede ocurrir cuando una aplicación acepta una entrada JSON multipart/form-data • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-27196
https://notcve.org/view.php?id=CVE-2020-27196
An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. Se detectó un problema en PlayJava en Play Framework versiones 2.6.0 hasta 2.8.2. El análisis del cuerpo de peticiones HTTP analiza enérgicamente una carga útil dado un encabezado Content-Type. • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26883
https://notcve.org/view.php?id=CVE-2020-26883
In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. En Play Framework versiones 2.6.0 hasta 2.8.2, el consumo de la pila puede ocurrir debido a una recursividad ilimitada durante el análisis de documentos JSON diseñados • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2020-26883-JsonParseUncontrolledRecursion • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17598
https://notcve.org/view.php?id=CVE-2019-17598
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host. Se descubrió un problema en Lightbend Play Framework versiones 2.5.x hasta la versión 2.6.23. Cuando es configurado para realizar peticiones utilizando un proxy HTTP autenticado, play-ws puede algunas veces, generalmente bajo una carga alta, cuando se conecta a un host de destino usando https, exponer las credenciales del proxy al host de destino. • https://www.playframework.com/security/vulnerability https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders • CWE-326: Inadequate Encryption Strength •