Vulnerability-Lookup

CVE-2022-31023 (GCVE-0-2022-31023)

Vulnerability from cvelistv5 – Published: 2022-06-02 18:05 – Updated: 2025-04-23 18:19

Title

Dev error stack trace leaking into prod in Play Framework

Summary

Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Assigner

GitHub_M

References

URL

Tags

	https://github.com/playframework/playframework/re…	x_refsource_MISC
	https://github.com/playframework/playframework/se…	x_refsource_CONFIRM
	https://github.com/playframework/playframework/pu…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	playframework	playframework	Affected: < 2.8.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:03:40.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/playframework/playframework/pull/11305"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31023",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:06:14.948174Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:19:50.789Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "playframework",
          "vendor": "playframework",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-02T18:05:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/playframework/playframework/pull/11305"
        }
      ],
      "source": {
        "advisory": "GHSA-p9p4-97g9-wcrh",
        "discovery": "UNKNOWN"
      },
      "title": "Dev error stack trace leaking into prod in Play Framework",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31023",
          "STATE": "PUBLIC",
          "TITLE": "Dev error stack trace leaking into prod in Play Framework"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "playframework",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.8.16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "playframework"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-209: Generation of Error Message Containing Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/playframework/playframework/releases/tag/2.8.16",
              "refsource": "MISC",
              "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
            },
            {
              "name": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
              "refsource": "CONFIRM",
              "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
            },
            {
              "name": "https://github.com/playframework/playframework/pull/11305",
              "refsource": "MISC",
              "url": "https://github.com/playframework/playframework/pull/11305"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-p9p4-97g9-wcrh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31023",
    "datePublished": "2022-06-02T18:05:11.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:19:50.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/playframework/playframework/releases/tag/2.8.16\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/playframework/playframework/pull/11305\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:03:40.340Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31023\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:06:14.948174Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:06:16.153Z\"}}], \"cna\": {\"title\": \"Dev error stack trace leaking into prod in Play Framework\", \"source\": {\"advisory\": \"GHSA-p9p4-97g9-wcrh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"playframework\", \"product\": \"playframework\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.8.16\"}]}], \"references\": [{\"url\": \"https://github.com/playframework/playframework/releases/tag/2.8.16\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/playframework/playframework/pull/11305\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-209\", \"description\": \"CWE-209: Generation of Error Message Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-06-02T18:05:11.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-p9p4-97g9-wcrh\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 2.8.16\"}]}, \"product_name\": \"playframework\"}]}, \"vendor_name\": \"playframework\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/playframework/playframework/releases/tag/2.8.16\", \"name\": \"https://github.com/playframework/playframework/releases/tag/2.8.16\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh\", \"name\": \"https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/playframework/playframework/pull/11305\", \"name\": \"https://github.com/playframework/playframework/pull/11305\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-209: Generation of Error Message Containing Sensitive Information\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31023\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Dev error stack trace leaking into prod in Play Framework\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31023\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T18:19:50.789Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-06-02T18:05:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-P9P4-97G9-WCRH

Vulnerability from github – Published: 2022-06-03 22:19 – Updated: 2025-11-03 21:05

Summary

Dev error stack trace leaking into prod in Play Framework

Details

Impact

Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its DefaultHttpErrorHandler to do so based on the application mode. In its Scala API Play also provides a static object DefaultHttpErrorHandler that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the DefaultHttpErrorHandler object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application.

In particular the constructor for CORSFilter and apply method for CORSActionBuilder use the static object DefaultHttpErrorHandler as a default value.

Patches

This is patched in Play Framework 2.8.16. The DefaultHttpErrorHandler object has been changed to use the prod-mode behavior, and DevHttpErrorHandler has been introduced for the dev-mode behavior.

Workarounds

When constructing a CORSFilter or CORSActionBuilder, ensure that a properly-configured error handler is passed. Generally this should be done by using the HttpErrorHandler instance provided through dependency injection or through Play's BuiltInComponents. Ensure that your application is not using the DefaultHttpErrorHandler static object in any code that may be run in production.

References

https://www.playframework.com/documentation/2.8.x/ScalaErrorHandling#Supplying-a-custom-error-handler https://www.playframework.com/documentation/2.8.x/JavaErrorHandling#Supplying-a-custom-error-handler

For more information

If you have any questions or comments about this advisory: * Open an issue in playframework/playframework * Email us at security@playframework.com

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.play:play_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.play:play_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-03T22:19:23Z",
    "nvd_published_at": "2022-06-02T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPlay Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler.  Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application.\n\nIn particular the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value.\n\n### Patches\n\nThis is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior.\n\n### Workarounds\n\nWhen constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that your application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\n\n### References\nhttps://www.playframework.com/documentation/2.8.x/ScalaErrorHandling#Supplying-a-custom-error-handler\nhttps://www.playframework.com/documentation/2.8.x/JavaErrorHandling#Supplying-a-custom-error-handler\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [playframework/playframework](https://github.com/playframework/playframework/)\n* Email us at [security@playframework.com](mailto:security@playframework.com)",
  "id": "GHSA-p9p4-97g9-wcrh",
  "modified": "2025-11-03T21:05:45Z",
  "published": "2022-06-03T22:19:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31023"
    },
    {
      "type": "WEB",
      "url": "https://github.com/playframework/playframework/pull/11305"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/playframework/playframework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dev error stack trace leaking into prod in Play Framework"
}

FKIE_CVE-2022-31023

Vulnerability from fkie_nvd - Published: 2022-06-02 18:15 - Updated: 2024-11-21 07:03

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/playframework/playframework/pull/11305	Issue Tracking, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/playframework/playframework/releases/tag/2.8.16	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/playframework/playframework/pull/11305	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/playframework/playframework/releases/tag/2.8.16	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh	Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	lightbend	play_framework	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lightbend:play_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E641F3DB-3013-49F8-9E2E-082D808C9958",
              "versionEndExcluding": "2.8.16",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production."
    },
    {
      "lang": "es",
      "value": "Play Framework es un framework web para Java y Scala. Las versiones anteriores a 2.8.16 son vulnerables a una generaci\u00f3n de mensajes de error que contienen informaci\u00f3n confidencial. Play Framework, cuando es ejecutado en modo dev, muestra errores verbose para facilitar la depuraci\u00f3n, incluyendo un seguimiento de la pila de excepciones. Play hace esto configurando su \"DefaultHttpErrorHandler\" para que lo haga en funci\u00f3n del modo de aplicaci\u00f3n. En su API Scala, Play tambi\u00e9n proporciona un objeto est\u00e1tico \"DefaultHttpErrorHandler\" que est\u00e1 configurado para mostrar siempre los errores verbose. Esto es usado como valor por defecto en algunas APIs de Play, por lo que es posible usar inadvertidamente esta versi\u00f3n en producci\u00f3n. Tambi\u00e9n es posible configurar incorrectamente la instancia del objeto \"DefaultHttpErrorHandler\" como administrador de errores inyectado. Ambas situaciones podr\u00edan resultar en que sean mostrados errores verbales a usuarios en una aplicaci\u00f3n de producci\u00f3n, lo que podr\u00eda exponer informaci\u00f3n confidencial de la aplicaci\u00f3n. En concreto, el constructor de \"CORSFilter\" y el m\u00e9todo \"apply\" de \"CORSActionBuilder\" usan el objeto est\u00e1tico \"DefaultHttpErrorHandler\" como valor por defecto. Esto ha sido corregido en Play Framework versi\u00f3n 2.8.16. El objeto \"DefaultHttpErrorHandler\" ha sido cambiado para usar el comportamiento del modo prod, y ha sido introducido \"DevHttpErrorHandler\" para el comportamiento del modo dev. Se presenta una mitigaci\u00f3n disponible. Cuando construya un \"CORSFilter\" o un \"CORSActionBuilder\", aseg\u00farese de que es pasado un manejador de errores correctamente configurado. Generalmente, esto deber\u00eda hacerse al usar la instancia \"HttpErrorHandler\" proporcionada mediante la inyecci\u00f3n de dependencia o mediante \"BuiltInComponents\" de Play. Aseg\u00farese de que la aplicaci\u00f3n no usa el objeto est\u00e1tico \"DefaultHttpErrorHandler\" en ning\u00fan c\u00f3digo que pueda ejecutarse en producci\u00f3n"
    }
  ],
  "id": "CVE-2022-31023",
  "lastModified": "2024-11-21T07:03:44.027",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-02T18:15:09.820",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/pull/11305"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/pull/11305"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-31023

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-31023

Aliases

CVE-2022-31023

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31023",
    "description": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
    "id": "GSD-2022-31023"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31023"
      ],
      "details": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
      "id": "GSD-2022-31023",
      "modified": "2023-12-13T01:19:18.038493Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31023",
        "STATE": "PUBLIC",
        "TITLE": "Dev error stack trace leaking into prod in Play Framework"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "playframework",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.8.16"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "playframework"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-209: Generation of Error Message Containing Sensitive Information"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/playframework/playframework/releases/tag/2.8.16",
            "refsource": "MISC",
            "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
          },
          {
            "name": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
            "refsource": "CONFIRM",
            "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
          },
          {
            "name": "https://github.com/playframework/playframework/pull/11305",
            "refsource": "MISC",
            "url": "https://github.com/playframework/playframework/pull/11305"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p9p4-97g9-wcrh",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.8.16)",
          "affected_versions": "All versions before 2.8.16",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-209",
            "CWE-937"
          ],
          "date": "2022-06-11",
          "description": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 is vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
          "fixed_versions": [
            "2.8.16"
          ],
          "identifier": "CVE-2022-31023",
          "identifiers": [
            "CVE-2022-31023",
            "GHSA-p9p4-97g9-wcrh"
          ],
          "not_impacted": "All versions starting from 2.8.16",
          "package_slug": "maven/com.typesafe.play/play-ws_2.12",
          "pubdate": "2022-06-02",
          "solution": "Upgrade to version 2.8.16 or above.",
          "title": "Generation of Error Message Containing Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31023",
            "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
            "https://github.com/playframework/playframework/pull/11305",
            "https://github.com/playframework/playframework/releases/tag/2.8.16"
          ],
          "uuid": "ff5ba5be-46af-4a7c-957e-a29bbaca9682"
        },
        {
          "affected_range": "(,2.8.16)",
          "affected_versions": "All versions before 2.8.16",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-209",
            "CWE-937"
          ],
          "date": "2022-06-11",
          "description": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 is vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
          "fixed_versions": [
            "2.8.16"
          ],
          "identifier": "CVE-2022-31023",
          "identifiers": [
            "CVE-2022-31023",
            "GHSA-p9p4-97g9-wcrh"
          ],
          "not_impacted": "All versions starting from 2.8.16",
          "package_slug": "maven/com.typesafe.play/play_2.11",
          "pubdate": "2022-06-02",
          "solution": "Upgrade to version 2.8.16 or above.",
          "title": "Generation of Error Message Containing Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31023",
            "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
            "https://github.com/playframework/playframework/pull/11305",
            "https://github.com/playframework/playframework/releases/tag/2.8.16"
          ],
          "uuid": "98099084-d57c-45d0-98bb-3a9df12c729d"
        },
        {
          "affected_range": "(,2.8.16)",
          "affected_versions": "All versions before 2.8.16",
          "cwe_ids": [
            "CWE-1035",
            "CWE-209",
            "CWE-937"
          ],
          "date": "2022-06-03",
          "description": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 is vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
          "fixed_versions": [
            "2.8.16"
          ],
          "identifier": "CVE-2022-31023",
          "identifiers": [
            "GHSA-p9p4-97g9-wcrh",
            "CVE-2022-31023"
          ],
          "not_impacted": "All versions starting from 2.8.16",
          "package_slug": "maven/com.typesafe.play/play_2.12",
          "pubdate": "2022-06-03",
          "solution": "Upgrade to version 2.8.16 or above.",
          "title": "Generation of Error Message Containing Sensitive Information",
          "urls": [
            "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31023",
            "https://github.com/playframework/playframework/pull/11305",
            "https://github.com/playframework/playframework/releases/tag/2.8.16",
            "https://github.com/advisories/GHSA-p9p4-97g9-wcrh"
          ],
          "uuid": "4ec8efb9-4653-44ae-8ea5-da1cb4c4cf11"
        },
        {
          "affected_range": "(,2.8.16)",
          "affected_versions": "All versions before 2.8.16",
          "cwe_ids": [
            "CWE-1035",
            "CWE-209",
            "CWE-937"
          ],
          "date": "2022-06-03",
          "description": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 is vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.",
          "fixed_versions": [
            "2.8.16"
          ],
          "identifier": "CVE-2022-31023",
          "identifiers": [
            "GHSA-p9p4-97g9-wcrh",
            "CVE-2022-31023"
          ],
          "not_impacted": "All versions starting from 2.8.16",
          "package_slug": "maven/com.typesafe.play/play_2.13",
          "pubdate": "2022-06-03",
          "solution": "Upgrade to version 2.8.16 or above.",
          "title": "Generation of Error Message Containing Sensitive Information",
          "urls": [
            "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31023",
            "https://github.com/playframework/playframework/pull/11305",
            "https://github.com/playframework/playframework/releases/tag/2.8.16",
            "https://github.com/advisories/GHSA-p9p4-97g9-wcrh"
          ],
          "uuid": "edb20466-76e2-485b-a3df-e834fb6c9546"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:lightbend:play_framework:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.16",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31023"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play\u0027s `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-209"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh"
            },
            {
              "name": "https://github.com/playframework/playframework/pull/11305",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/playframework/playframework/pull/11305"
            },
            {
              "name": "https://github.com/playframework/playframework/releases/tag/2.8.16",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-06-11T00:58Z",
      "publishedDate": "2022-06-02T18:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31023 (GCVE-0-2022-31023)

GHSA-P9P4-97G9-WCRH

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2022-31023

GSD-2022-31023

Tags

Sightings

Nomenclature