Play-WS sending HTTP CONNECT including authorizing headers to target host

CVE-ID

CVE-2019-17598

Date

4 Nov 2019

Description

When WSClient has been configured to use an authenticated proxy server, whilst making outbound HTTPS requests, we see HTTP CONNECT requests being sent from WSClient to the target host.

Impact

When applications are using Play-WS and an authenticated proxy, if basic auth is used to authenticate with the proxy server, it is possible to read username and password since they are only base64 encoded in the Authorization header.

Affected versions

• Play 2.6.0-2.6.23
• Play 2.5.x (all versions)

Fixes

This issue is fixed on Play 2.6.24. It does not impact Play 2.7.x. There won’t be a 2.5.x release with this fix since this version has reached end-of-support.

CVSS Metrics (more info)

Overall: 3.4
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Acknowledgements

Credit for finding this vulnerability goes to Sunny Chotai from hmrc.gov.uk.