CSRF in Play Framework

2020-08-1817:30:25

Google

osv.dev

0.001 Low

EPSS

Percentile

21.6%

JSON

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can’t be parsed.

CPENameOperatorVersion
com.typesafe.play:play_2.12eq2.6.24
com.typesafe.play:play_2.12eq2.6.1
com.typesafe.play:play_2.12eq2.6.7
com.typesafe.play:play_2.12eq2.6.14
com.typesafe.play:play_2.12eq2.6.16
com.typesafe.play:play_2.12eq2.6.0-RC1
com.typesafe.play:play_2.12eq2.6.0-M4
com.typesafe.play:play_2.12eq2.6.23
com.typesafe.play:play_2.12eq2.7.3
com.typesafe.play:play_2.12eq2.6.3

Name	Operator	Version
com.typesafe.play:play_2.12	eq	2.6.24
com.typesafe.play:play_2.12	eq	2.6.1
com.typesafe.play:play_2.12	eq	2.6.7
com.typesafe.play:play_2.12	eq	2.6.14
com.typesafe.play:play_2.12	eq	2.6.16
com.typesafe.play:play_2.12	eq	2.6.0-RC1
com.typesafe.play:play_2.12	eq	2.6.0-M4
com.typesafe.play:play_2.12	eq	2.6.23
com.typesafe.play:play_2.12	eq	2.7.3
com.typesafe.play:play_2.12	eq	2.6.3