JSON Improper Removal of Sensitive Information Before Storage or Transfer

CVE-ID

CVE-2020-28923

9 November 2020

Play JSON handling on the Java API serializes private and protected fields.

Users migrating from Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.

This issue is fixed on Play 2.8.5.

Overall: 4.2
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:O/RC:C

Credit for reporting this vulnerability goes to Onilton Maciel.