Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Play_framework
(Lightbend)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 11 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-12-03 | CVE-2020-28923 | An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON. | Play_framework | 2.7 | ||
2020-11-06 | CVE-2020-27196 | An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service. | Play_framework | 7.5 | ||
2020-11-06 | CVE-2020-26883 | In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. | Play_framework | 7.5 | ||
2020-11-06 | CVE-2020-26882 | In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. | Play_framework | 7.5 | ||
2020-08-17 | CVE-2020-12480 | In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed. | Play_framework | N/A | ||
2018-07-17 | CVE-2018-13864 | A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests. | Play_framework | 7.5 | ||
2019-11-05 | CVE-2019-17598 | An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host. | Play_framework | N/A |