CVE-2019-17598

Published: Nov 5, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

Affected (2)

Products: Lightbend: Play Framework

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Lightbend Play Framework	From 2.5.0 to 2.5.19
Lightbend Play Framework	From 2.6.0 to 2.6.23

Related CWEs

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (4)

https://www.playframework.com/security/vulnerability

Source: cve@mitre.org

Release NotesVendor Advisory

https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders

Source: cve@mitre.org

Vendor Advisory

https://www.playframework.com/security/vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.