CVE-2022-31023Information Exposure via Error Message in Play Framework

CWE-209Information Exposure via Error Message3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 37.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PlayframeworkLightbend Play Framework
Timeline
PublishedJun 2
Latest updateJun 3

Description

Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5playframework/playframework< 2.8.16

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Dev error stack trace leaking into prod in Play Framework2022-06-03
OSV
Dev error stack trace leaking into prod in Play Framework2022-06-03
CVE-2022-31023 — Information Exposure via Error Message | cvebase