Lightbend Play Framework vulnerabilities

11 known vulnerabilities affecting lightbend/play_framework.

Total CVEs

11

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL1HIGH8MEDIUM1LOW1

Vulnerabilities

Page 1 of 1

CVE-2022-31023HIGHCVSS 7.5fixed in 2.8.162022-06-02

CVE-2022-31023 [HIGH] CWE-209 CVE-2022-31023: Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to gene Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on t

CVE-2022-31018HIGHCVSS 7.5≥ 2.8.3, ≤ 2.8.152022-06-02

CVE-2022-31018 [HIGH] CWE-400 CVE-2022-31018: Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been dis Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON d

CVE-2020-28923LOWCVSS 2.7≥ 2.8.0, ≤ 2.8.42020-12-03

CVE-2020-28923 [LOW] CVE-2020-28923: An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.

CVE-2020-26882HIGHCVSS 7.5≤ 2.6.25≥ 2.7.0, ≤ 2.7.5+1 more2020-11-06

CVE-2020-26882 [HIGH] CWE-674 CVE-2020-26882: In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts mult In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input.

CVE-2020-26883HIGHCVSS 7.5≤ 2.6.25≥ 2.7.0, ≤ 2.7.5+1 more2020-11-06

CVE-2020-26883 [HIGH] CWE-674 CVE-2020-26883: In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion du In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.

CVE-2020-27196HIGHCVSS 7.5≤ 2.6.25≥ 2.7.0, ≤ 2.7.5+1 more2020-11-06

CVE-2020-27196 [HIGH] CWE-787 CVE-2020-27196: An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

CVE-2020-12480MEDIUMCVSS 6.5≥ 2.6.0, ≤ 2.6.25≥ 2.7.0, ≤ 2.7.4+1 more2020-08-17

CVE-2020-12480 [MEDIUM] CWE-352 CVE-2020-12480: In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple request In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

CVE-2019-17598HIGHCVSS 7.5≥ 2.5.0, ≤ 2.5.19≥ 2.6.0, ≤ 2.6.232019-11-05

CVE-2019-17598 [HIGH] CWE-326 CVE-2019-17598: An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make re An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

CVE-2018-13864HIGHCVSS 7.5≥ 2.6.12, ≤ 2.6.152018-07-17

CVE-2018-13864 [HIGH] CWE-22 CVE-2018-13864: A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.

CVE-2014-3630CRITICALCVSS 9.8v2.2.0v2.2.1+6 more2017-12-29

CVE-2014-3630 [CRITICAL] CWE-611 CVE-2014-3630: XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2. XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.

CVE-2015-2156HIGHCVSS 7.5v2.0v2.0.2+21 more2017-10-18

CVE-2015-2156 [HIGH] CWE-20 CVE-2015-2156: Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4. Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.