Vulnerabilities for Play framework (...) - CXSECURITY.COM

Vulnerabilities for 'Play framework'

2020-12-03

CVE-2020-28923

NVD-CWE-Other

An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.

2020-11-06

CVE-2020-27196

CWE-787

An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

CVE-2020-26883

CWE-674

In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.

CVE-2020-26882

CWE-674

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input.

2020-08-17

CVE-2020-12480

CWE-352

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

2019-11-05

CVE-2019-17598

CWE-522

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

>>> Vendor: Lightbend 4 Products

Play framework

Copyright 2024, cxsecurity.com