RSS   Vulnerabilities for 'Play framework'   RSS

2020-12-03
 
CVE-2020-28923

NVD-CWE-Other
 

 
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.

 
2020-11-06
 
CVE-2020-27196

CWE-787
 

 
An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

 
 
CVE-2020-26883

CWE-674
 

 
In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.

 
 
CVE-2020-26882

CWE-674
 

 
In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input.

 
2020-08-17
 
CVE-2020-12480

CWE-352
 

 
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

 
2019-11-05
 
CVE-2019-17598

CWE-522
 

 
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

 

 >>> Vendor: Lightbend 4 Products
Akka http
Spray-json
Play framework
Akka-http


Copyright 2021, cxsecurity.com

 

Back to Top