CVE-2022-31023

Name of the Vulnerable Software and Affected Versions Play Framework versions prior to 2.8.16

Description The issue concerns the generation of error messages containing sensitive information in Play Framework. When run in dev mode, Play Framework shows verbose errors for easy debugging, including an exception stack trace. This behavior is configured by the DefaultHttpErrorHandler based on the application mode. However, the static object DefaultHttpErrorHandler is configured to always show verbose errors, which can be inadvertently used in production or improperly configured as the injected error handler. This could result in verbose errors displaying to users in a production application, exposing sensitive information. Specifically, the constructor for CORSFilter and the apply method for CORSActionBuilder use the static object DefaultHttpErrorHandler as a default value.

Recommendations For versions prior to 2.8.16, when constructing a CORSFilter or CORSActionBuilder, ensure that a properly-configured error handler is passed. Generally, this should be done by using the HttpErrorHandler instance provided through dependency injection or through Play's BuiltInComponents. Ensure that the application is not using the DefaultHttpErrorHandler static object in any code that may be run in production. Update to Play Framework 2.8.16, where the DefaultHttpErrorHandler object has been changed to use the prod-mode behavior, and DevHttpErrorHandler has been introduced for the dev-mode behavior.