Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2015-5174 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2016-3506 Vulnerability in maven package com.oracle:ojdbc7

CVE-2021-22137 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2018-16115 Vulnerability in maven package com.typesafe.akka:akka-actor_2.12

CVE-2016-6814 Vulnerability in maven package org.codehaus.groovy:groovy-all

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory