7.5

CVE-2019-17598

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LightbendPlay Framework Version >= 2.5.0 <= 2.5.19
LightbendPlay Framework Version >= 2.6.0 <= 2.6.23
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.7% 0.482
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://www.playframework.com/security/vulnerability
Vendor Advisory
Release Notes
https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders
Vendor Advisory