Description

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

Remediation

References

CVE-2019-17598

Related Vulnerabilities

WordPress Plugin History Collection Arbitrary File Download (1.1.1)

WordPress Plugin Quiz Maker Multiple SQL Injection Vulnerabilities (6.2.0.8)

Grafana Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2022-23498)

WordPress Plugin Visual CSS Style Editor Cross-Site Request Forgery (7.2.0)

WordPress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-12895)

Severity

High

Classification

CVE-2019-17598 CWE-326 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities