Play-WS sending HTTP CONNECT including authorizing headers to target host
CVE-ID
CVE-2019-17598
Date
4 Nov 2019
Description
When WSClient has been configured to use an authenticated proxy server, whilst making outbound HTTPS requests, we see HTTP CONNECT requests being sent from WSClient to the target host.
Impact
When applications are using Play-WS and an authenticated proxy, if basic auth is used to authenticate with the proxy server, it is possible to read username and password since they are only base64 encoded in the Authorization header.
Affected versions
- Play 2.6.0-2.6.23
- Play 2.5.x (all versions)
Fixes
This issue is fixed on Play 2.6.24. It does not impact Play 2.7.x. There won’t be a 2.5.x release with this fix since this version has reached end-of-support.
CVSS Metrics (more info)
Overall: 3.4
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Acknowledgements
Credit for finding this vulnerability goes to Sunny Chotai from hmrc.gov.uk.