135 matches found
CVE-2019-17598
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host...
Design/Logic Flaw
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host...
CVE-2019-17598
CVE-2019-17598 affects Lightbend Play Framework (2.5.x–2.6.23) and its play-ws component. When configured to proxy requests through an authenticated HTTP proxy, under high load, HTTPS connections to a target host may reveal proxy credentials to that host. Impact is information disclosure; details...
CVE-2019-17598
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host...
Directory traversal
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 fixed in 2.6.16 when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests...
CVE-2018-13864
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 fixed in 2.6.16 when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests...
CVE-2018-13864
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 fixed in 2.6.16 when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests...
CVE-2018-13864
CVE-2018-13864: A directory traversal vulnerability affects Play Framework 2.6.12–2.6.15 (Windows). The Assets controller could be abused to download arbitrary files from the server via crafted HTTP requests. The issue is fixed in 2.6.16; upgrade to 2.6.16+ to remediate. No exploitation details a...
CVE-2018-13864
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 fixed in 2.6.16 when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests...
Information Disclosure
Play Framework filter-helper is vulnerable to information disclosure. Attackers can overwrite the Vary header when the CORS filter is used to match again a specific set of origins. This may expose sensitive information and make the application vulnerable to cache poisoning...
Play XML External Entity Injection Vulnerability
Play is a set of open source Java Web application framework. The framework is scalable , low resource consumption and so on. An XML external entity injection vulnerability exists in the Java XML functionality in Play versions prior to 2.2.6 and 2.3.x versions prior to 2.3.5. A remote attacker can...
Xxe
XML external entity XXE vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data...
UBUNTU-CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
Input validation
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
DEBIAN-CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2015-2156
CVE-2015-2156 concerns Netty (and Play Framework): improper validation of cookie name/value characters can bypass HttpOnly and expose sensitive data. In IBM StreamSets Data Collector context, this vulnerability affects versions 5.0.0–6.4.1 and remediation is to upgrade to IBM StreamSets Data Coll...
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...