5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%
A denial-of-service vulnerability has been discovered in Playβs forms library, in both the Scala and Java APIs. This can occur when using either the Form#bindFromRequest
method on a JSON request body or the Form#bind
method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an OutOfMemoryError
. If executing on the default dispatcher and akka.jvm-exit-on-fatal-error
is enabledβas it is by defaultβthen this can crash the application process.
Form.bindFromRequest
is vulnerable when using any body parser that produces a type of AnyContent
or JsValue
in Scala, or one that can produce a JsonNode
in Java. This includes Playβs default body parser.
This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary.
Applications that do not need to parse a request body of type application/json
can switch from the default body parser to another body parser that supports only the specific type of body they expect; for example, the formUrlEncoded
body parser can be used if the Play action only needs to accept application/x-www-form-urlencoded
.
CPE | Name | Operator | Version |
---|---|---|---|
com.typesafe.play:play_2.12 | lt | 2.8.16 | |
com.typesafe.play:play_2.13 | lt | 2.8.16 |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%