汇总 lightbend 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 XXE、路径处理缺陷与内存损坏 相关,可能在 软件部署与生产负载 场景中带来 文件覆盖与内存损坏 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2023-33251 | When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. | [email protected] | 4.7 | 0.06% | 2023-05-21 | 2025-01-31 |
| CVE-2023-31442 | In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If suc | [email protected] | 7.5 | 0.51% | 2023-05-11 | 2025-01-27 |
| CVE-2023-29471 | Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor. | [email protected] | 5.5 | 0.05% | 2023-04-27 | 2025-01-31 |
| CVE-2022-31023 | Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors | [email protected] | 5.9 | 0.41% | 2022-06-02 | 2024-11-21 |
| CVE-2022-31018 | Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and | [email protected] | 7.5 | 0.48% | 2022-06-02 | 2024-11-21 |
| CVE-2021-23339 | This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. | [email protected] | 5.0 | 0.21% | 2021-02-17 | 2024-11-21 |
| CVE-2020-28923 | An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON. | [email protected] | 2.7 | 0.18% | 2020-12-03 | 2024-11-21 |
| CVE-2020-27196 | An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. | [email protected] | 7.5 | 0.53% | 2020-11-06 | 2024-11-21 |
| CVE-2020-26883 | In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. | [email protected] | 7.5 | 0.53% | 2020-11-06 | 2024-11-21 |
| CVE-2020-26882 | In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. | [email protected] | 7.5 | 0.41% | 2020-11-06 | 2024-11-21 |
| CVE-2020-12480 | In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed. | [email protected] | 6.5 | 0.04% | 2020-08-17 | 2024-11-21 |
| CVE-2019-17598 | An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host. | [email protected] | 7.5 | 0.18% | 2019-11-05 | 2024-11-21 |
| CVE-2018-18854 | Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code). | [email protected] | 7.5 | 0.84% | 2018-10-31 | 2024-11-21 |
| CVE-2018-18853 | Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits. | [email protected] | 7.5 | 0.84% | 2018-10-31 | 2024-11-21 |
| CVE-2018-16131 | The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. | [email protected] | 7.5 | 1.34% | 2018-08-30 | 2024-11-21 |
| CVE-2018-16115 | Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG impl | [email protected] | 9.1 | 0.35% | 2018-08-29 | 2024-11-21 |
| CVE-2018-13864 | A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests. | [email protected] | 7.5 | 1.33% | 2018-07-17 | 2024-11-21 |
| CVE-2014-3630 | XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data. | [email protected] | 9.8 | 0.75% | 2017-12-29 | 2026-05-13 |
| CVE-2015-2156 | Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. | [email protected] | 7.5 | 3.27% | 2017-10-18 | 2026-05-13 |