GHSA-442g-gcg6-mhm4

Source

https://github.com/advisories/GHSA-442g-gcg6-mhm4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-442g-gcg6-mhm4/GHSA-442g-gcg6-mhm4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-442g-gcg6-mhm4

Aliases

CVE-2019-17598

Published

2022-05-24T22:01:04Z

Modified

2023-11-08T04:01:25.046120Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Play Framework Inadequate Encryption Strength vulnerability

Details

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

Database specific

{
    "nvd_published_at": "2019-11-05T15:15:00Z",
    "github_reviewed_at": "2022-11-22T19:04:39Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-326"
    ]
}

References

Affected packages

Maven / com.typesafe.play:play-ws_2.12

Package

Name: com.typesafe.play:play-ws_2.12; View open source insights on deps.dev
Purl: pkg:maven/com.typesafe.play/play-ws_2.12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.6.24

Affected versions

2.*

2.6.0-M1

2.6.0-M2

2.6.0-M3

2.6.0-M4

2.6.0-M5

2.6.0-RC1

2.6.0-RC2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.5

2.6.6

2.6.7

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.6.18

2.6.19

2.6.20

2.6.21

2.6.22

2.6.23