CVE-2019-17598 (High) detected in multiple libraries - autoclosed

[mend-for-jackfan.us.kg]

CVE-2019-17598 - High Severity Vulnerability

Vulnerable Libraries - play-ws_2.11-2.6.11.jar, play-ws_2.11-2.5.0.jar, play-ws_2.11-2.5.19.jar

play-ws_2.11-2.6.11.jar

Play-WS

Path to dependency file: /dd-java-agent/instrumentation/akka-http-10.0/akka-http-10.0.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.play/play-ws_2.11/2.6.11/b97f72f3db8bdfb3145bc8b2aa5d701a6d7df55d/play-ws_2.11-2.6.11.jar

Dependency Hierarchy:

• lagom-javadsl-testkit_2.11-1.4.0.jar (Root Library)
  • lagom-javadsl-server_2.11-1.4.0.jar
    • lagom-server_2.11-1.4.0.jar
      • lagom-client_2.11-1.4.0.jar
        • ❌ play-ws_2.11-2.6.11.jar (Vulnerable Library)

play-ws_2.11-2.5.0.jar

Play-WS

Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.play/play-ws_2.11/2.5.0/bf369ce4e3fc000d1eb388160f801cbf79dbd48/play-ws_2.11-2.5.0.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.5.0.jar (Root Library)
  • ❌ play-ws_2.11-2.5.0.jar (Vulnerable Library)

play-ws_2.11-2.5.19.jar

Play-WS

Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.play/play-ws_2.11/2.5.19/d1c98226693a2549187dfd02e76f4f3c842ab027/play-ws_2.11-2.5.19.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.play/play-ws_2.11/2.5.19/d1c98226693a2549187dfd02e76f4f3c842ab027/play-ws_2.11-2.5.19.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.5.19.jar (Root Library)
  • ❌ play-ws_2.11-2.5.19.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

Publish Date: 2020-08-24

URL: CVE-2019-17598

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-442g-gcg6-mhm4

Release Date: 2020-08-24

Fix Resolution (com.typesafe.play:play-ws_2.11): 2.6.24

Direct dependency fix Resolution (com.lightbend.lagom:lagom-javadsl-testkit_2.11): 1.5.0

---

⛑️ Automatic Remediation is available for this issue

[mend-for-jackfan.us.kg]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.