Improper Removal of Sensitive Information Before Storage or Transfer

CVE-2020-28923

Low

2.7/10

Summary

An issue was discovered in Play Framework 2.8.0-M4 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0-M4 that used the Play Java API to serialize classes with protected or private fields to JSON.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

References

Advisory
Advisory
Pull request
Issue

Advisory Timeline

Published Dec 03, 2020

Improper Removal of Sensitive Information Before Storage or Transfer

CVE-2020-28923

Summary

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS