CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31023 – Dev error stack trace leaking into prod in Play Framework
https://notcve.org/view.php?id=CVE-2022-31023
02 Jun 2022 — Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. • https://github.com/playframework/playframework/pull/11305 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26882
https://notcve.org/view.php?id=CVE-2020-26882
06 Nov 2020 — In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. En Play Framework versiones 2.6.0 hasta 2.8.2, una amplificación de datos puede ocurrir cuando una aplicación acepta una entrada JSON multipart/form-data • https://www.playframework.com/security/vulnerability • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-27196
https://notcve.org/view.php?id=CVE-2020-27196
06 Nov 2020 — An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. Se detectó un problema en PlayJava en Play Framework versiones 2.6.0 hasta 2.8.2. El análisis del cuerpo de peticiones HTTP analiza enérgicamente una carga útil dado un encabezado Content-Type. • https://www.playframework.com/security/vulnerability • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26883
https://notcve.org/view.php?id=CVE-2020-26883
06 Nov 2020 — In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. En Play Framework versiones 2.6.0 hasta 2.8.2, el consumo de la pila puede ocurrir debido a una recursividad ilimitada durante el análisis de documentos JSON diseñados • https://www.playframework.com/security/vulnerability • CWE-674: Uncontrolled Recursion •
CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 0CVE-2014-3630
https://notcve.org/view.php?id=CVE-2014-3630
29 Dec 2017 — XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data. Vulnerabilidad de XEE (XML External Entity) en la funcionalidad de procesamiento de Java XML en Play, en versiones anteriores a la 2.2.6 y versiones 2.3.x anteriores a la 2.3.5, podría permitir a atacantes remotos leer archivos arbitrarios, provocar u... • https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 3%CPEs: 110EXPL: 0CVE-2015-2156
https://notcve.org/view.php?id=CVE-2015-2156
18 Oct 2017 — Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Netty en versiones anteriores a la 3.9.8.Final, 3.10.x anteriores a la 3.10.3.Final, 4.0.x anteriores a la 4.0.28.Final y 4.1.x anteriores a la 4.1.0.Beta5 y Play Framework 2.x en versiones ante... • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html • CWE-20: Improper Input Validation •