CVE-2020-28923

Vulnerability

CVE-2020-28923 concerns improper removal of sensitive information before storage or transfer in Play Framework 2.8.0 through 2.8.4 [1][3]. The issue arises in the Java API's JSON serialization, where protected or private fields are inadvertently included in the serialized output when a crafted JSON payload is submitted as a form field [2]. This bug specifically affects users who migrated from a Play version prior to 2.8.0 and relied on the Play Java API to serialize classes with such fields [1][3].

Exploitation

An attacker can send a carefully constructed JSON payload as a form field to trigger data amplification, causing the server to serialize internal fields that were intended to be hidden [2]. The attack requires network access to the application and targets the form binding mechanism. No special authentication is needed beyond the ability to submit forms to the affected endpoint, but the attacker must craft the payload to exploit the serialization behavior [3].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information, such as private or protected fields containing internal state or secrets [1][2]. The CVSS score is 4.2 (medium), reflecting a high attack complexity and required privileges but with a high confidentiality impact [3].

Mitigation

The vulnerability is fixed in Play 2.8.5 [1][3]. Users of affected versions should upgrade to 2.8.5 or later. There is no known workaround other than upgrading. The issue was discovered by Onilton Maciel and publicly disclosed on 9 November 2020 [3].