Play-WS sending HTTP CONNECT including authorizing headers to target host
4 Nov 2019
When WSClient has been configured to use an authenticated proxy server, whilst making outbound HTTPS requests, we see HTTP CONNECT requests being sent from WSClient to the target host.
When applications are using Play-WS and an authenticated proxy, if basic auth is used to authenticate with the proxy server, it is possible to read username and password since they are only base64 encoded in the Authorization header.
- Play 2.6.0-2.6.23
- Play 2.5.x (all versions)
This issue is fixed on Play 2.6.24. It does not impact Play 2.7.x. There won’t be a 2.5.x release with this fix since this version has reached end-of-life.
CVSS Metrics (more info)
Credit for finding this vulnerability goes to Sunny Chotai from hmrc.gov.uk.