11 matches found
CVE-2022-31018
CVE-2022-31018 affects Play Framework forms library (versions 2.8.3–2.8.15) for Java/Scala. The vulnerability is triggered when binding deeply nested JSON via Form.bindFromRequest or Form.bind on a JSON value, which may exhaust heap memory and crash the app (OutOfMemoryError) if run on the defaul...
CVE-2022-31023
CVE-2022-31023 affects Play Framework prior to 2.8.16. The issue arises when verbose error pages are shown in production due to DefaultHttpErrorHandler being used or misconfigured, potentially exposing sensitive information via exception stacks in error messages. The problem is rooted in how Play...
CVE-2015-2156
CVE-2015-2156 concerns Netty (and Play Framework): improper validation of cookie name/value characters can bypass HttpOnly and expose sensitive data. In IBM StreamSets Data Collector context, this vulnerability affects versions 5.0.0–6.4.1 and remediation is to upgrade to IBM StreamSets Data Coll...
CVE-2019-17598
CVE-2019-17598 affects Lightbend Play Framework (2.5.x–2.6.23) and its play-ws component. When configured to proxy requests through an authenticated HTTP proxy, under high load, HTTPS connections to a target host may reveal proxy credentials to that host. Impact is information disclosure; details...
CVE-2020-26883
Play Framework versions 2.6.0–2.8.2 contain a vulnerability caused by unbounded recursion during JSON parsing (notably in fromJson in form.scala per Veracode). This can lead to stack depletion/DoS via crafted JSON sent over the network. Affected components: Play Framework JSON parsing pathway; ro...
CVE-2020-12480
CVE-2020-12480 affects Play Framework 2.6.0–2.8.1. The CSRF filter can be bypassed when handling CORS simple requests with content types that contain parameters that can’t be parsed, enabling CSRF in affected deployments. Red Hat and security advisories (GHSA/Veracode OSV) corroborate the CSRF by...
CVE-2020-26882
CVE-2020-26882 (Play Framework): Affects Play Framework versions 2.6.0 through 2.8.2. The vulnerability arises when an application accepts multipart/form-data JSON input, causing data amplification. Documents explicitly describe this as a vulnerability in Play Framework, with potential impact on ...
CVE-2020-27196
CVE-2020-27196 affects Play Framework’s PlayJava in versions 2.6.0–2.8.2. The vulnerability arises from body parsing of HTTP requests that eagerly parses a payload when a Content-Type header is present; sending a deep JSON structure to a valid POST endpoint can trigger a StackOverflowError, resul...
CVE-2020-28923
Summary: CVE-2020-28923 affects Play Framework 2.8.0–2.8.4 via Data Amplification when carefully crafted JSON payloads are sent as a form field, impacting users migrating from Play Java API-based JSON serialization of classes with protected/private fields. The vulnerability description and relate...
CVE-2018-13864
CVE-2018-13864: A directory traversal vulnerability affects Play Framework 2.6.12–2.6.15 (Windows). The Assets controller could be abused to download arbitrary files from the server via crafted HTTP requests. The issue is fixed in 2.6.16; upgrade to 2.6.16+ to remediate. No exploitation details a...
CVE-2014-3630
Play framework’s Java XML processing (before 2.2.6 and 2.3.x before 2.3.5) is affected by CVE-2014-3630 via an XML External Entity (XXE) vulnerability. Crafted XML data can read arbitrary files, cause denial of service, or have unspecified impacts. The connected records confirm affected versions ...