PT-2019-15219 · Lightbend · Lightbend Play Framework

Sunny Chotai

Published

2019-11-05

Updated

2022-05-24

CVE-2019-17598

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Lightbend Play Framework versions 2.5.x through 2.6.23

Description An issue was discovered in the Lightbend Play Framework. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes expose the proxy credentials to the target host, typically under high load when connecting to a target host using https.

Recommendations For versions 2.5.x through 2.6.23, consider reconfiguring the proxy settings to avoid using authenticated HTTP proxies until a fix is available. As a temporary workaround, restrict access to sensitive resources that may be exposed due to this issue.

Fix

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

CVE-2019-17598

GHSA-442G-GCG6-MHM4

Affected Products

Lightbend Play Framework

PT-2019-15219 · Lightbend · Lightbend Play Framework

CVE-2019-17598

Weakness Enumeration

Related Identifiers

Affected Products

References · 6