CVE-2019-17598
Information Exposure vulnerability in play-ws_2.12 (Maven)
What is CVE-2019-17598 About?
An issue in Lightbend Play Framework 2.5.x through 2.6.23 can expose proxy credentials to target hosts. This occurs under high load when connecting to HTTPS targets via an authenticated HTTP proxy. Such information exposure can lead to unauthorized access, and exploitation is moderately difficult due to specific timing and load conditions.
Affected Software
Technical Details
The Lightbend Play Framework versions 2.5.x through 2.6.23 suffer from an information exposure vulnerability within its play-ws module. When play-ws is configured to make requests through an authenticated HTTP proxy, and the client connects to an HTTPS target host under conditions of high load, the proxy credentials may inadvertently be exposed to the target host. This typically happens as a race condition or a state mishandling issue where the authentication headers intended only for the proxy are mistakenly sent in the subsequent request's headers to the final HTTPS destination, bypassing the intended proxy-only scope of these credentials.
What is the Impact of CVE-2019-17598?
Successful exploitation may allow attackers to obtain sensitive proxy credentials, which could then be used for unauthorized access to the proxy or to masquerade as the legitimate proxy user.
What is the Exploitability of CVE-2019-17598?
Exploitation of this vulnerability is moderately difficult, as it requires specific environmental conditions—namely, the use of an authenticated HTTP proxy and the occurrence of high load on the Play Framework application. The attacker needs to be the target HTTPS host or be able to observe traffic to it. This is primarily a remote exploitation scenario, where the sensitive information is transmitted over the network. No specific authentication beyond the client's legitimate use of the proxy is required to trigger the flaw from the client side. No particular privilege is needed beyond the application's normal operation. The key risk factor is the deployment of play-ws with authenticated proxies in high-load scenarios, making the timing window for credential leakage more probable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-17598?
Available Upgrade Options
- com.typesafe.play:play-ws_2.12
- >2.5.0, <2.6.24 → Upgrade to 2.6.24
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders
- https://osv.dev/vulnerability/GHSA-442g-gcg6-mhm4
- https://www.playframework.com/security/vulnerability
- https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders
- https://www.playframework.com/security/vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2019-17598
What are Similar Vulnerabilities to CVE-2019-17598?
Similar Vulnerabilities: CVE-2021-32729 , CVE-2020-13936 , CVE-2015-8857 , CVE-2018-1000120 , CVE-2023-28155
