CVE-2022-31023
Information Exposure vulnerability in play_2.12 (Maven)
What is CVE-2022-31023 About?
This vulnerability is an Information Exposure flaw in Play Framework, specifically related to verbose error handling in dev mode. Improper configuration or use of the static `DefaultHttpErrorHandler` can expose sensitive information from production applications to users. While a logical flaw, it is easily exploitable through misconfiguration.
Affected Software
- com.typesafe.play:play_2.12
- <2.8.16
- com.typesafe.play:play_2.13
- <2.8.16
Technical Details
The Play Framework includes a DefaultHttpErrorHandler that, in development mode, is configured to display verbose error messages and stack traces for debugging purposes. However, a static object DefaultHttpErrorHandler is also provided in the Scala API, which is configured to always exhibit this verbose behavior. This static object serves as a default value in certain Play APIs, notably the constructors for CORSFilter and the apply method for CORSActionBuilder. If developers inadvertently use this static DefaultHttpErrorHandler instance in a production environment, or if they improperly configure their injected error handler to behave like the static one, verbose error messages containing sensitive application details (such as stack traces, internal paths, or configuration values) will be displayed to end-users. This bypasses the intended production-mode error handling, leading to the exposure of potentially critical information. The flaw is essentially a misconfiguration hazard facilitated by the API design.
What is the Impact of CVE-2022-31023?
Successful exploitation may allow attackers to gain access to sensitive information, such as stack traces, internal paths, or configuration details, potentially aiding further attacks or unauthorized access.
What is the Exploitability of CVE-2022-31023?
Exploitation relies on misconfiguration in a Play Framework application, specifically using the static DefaultHttpErrorHandler in production. This is a configuration-based vulnerability, making its complexity low for an attacker if the misconfiguration exists. No authentication is required for basic information exposure, as the verbose errors are often displayed directly to the client. Access is remote, as the error page is served via HTTP. No specific privileges are needed on the server itself. The primary constraint is the developer's oversight in deploying the application with the vulnerable error handler. Risk factors include insufficient testing or review of error handling configurations in production deployments, especially when using CORS-related components that default to the vulnerable handler.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-31023?
Available Upgrade Options
- com.typesafe.play:play_2.12
- <2.8.16 → Upgrade to 2.8.16
- com.typesafe.play:play_2.13
- <2.8.16 → Upgrade to 2.8.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/playframework/playframework/releases/tag/2.8.16
- https://github.com/playframework/playframework
- https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh
- https://nvd.nist.gov/vuln/detail/CVE-2022-31023
- https://github.com/playframework/playframework/pull/11305
- https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh
- https://github.com/playframework/playframework/releases/tag/2.8.16
- https://github.com/playframework/playframework/pull/11305
- https://osv.dev/vulnerability/GHSA-p9p4-97g9-wcrh
What are Similar Vulnerabilities to CVE-2022-31023?
Similar Vulnerabilities: CVE-2021-41773 , CVE-2021-42013 , CVE-2021-26702 , CVE-2020-15875 , CVE-2020-15876
