Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2016-4988 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2019-10290 Vulnerability in maven package org.jenkins-ci.plugins:netsparker-cloud-scan

CVE-2016-3724 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2018-17193 Vulnerability in maven package org.apache.nifi:nifi-web-utils

CVE-2021-22132 Vulnerability in maven package org.elasticsearch:elasticsearch

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory