GHSA-p9p4-97g9-wcrh · 深刻度: medium · エコシステム: maven — Dev error stack trace leaking into prod in Play Framework
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.
総合評価: CVE-2022-31023 は中リスク(46.8/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 1.20%、64 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.41% | 1.20% | +0.80% |
| 2 | 2025-06-13 | 0.56% | 0.41% | -0.16% |
| 3 | 2025-06-04 | — | 0.56% | — |
EPSS の全履歴 (全 12 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-p9p4-97g9-wcrh · 深刻度: medium · エコシステム: maven — Dev error stack trace leaking into prod in Play Framework
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| lightbend | play_framework | < 2.8.16 | cpe:2.3:a:lightbend:play_framework:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/playframework/playframework/pull/11305 | Issue Tracking Patch Third Party Advisory |
| https://github.com/playframework/playframework/releases/tag/2.8.16 | Release Notes Third Party Advisory |
| https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh | Mitigation Third Party Advisory |