Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmOGotNjRoOS02cTU4

Moderate EPSS: 0.00036% (0.09564 Percentile) EPSS:
Permalink JSON

CSRF in Play Framework

Affected Packages Affected Versions Fixed Versions
maven:com.typesafe.play:play_2.12 >= 2.8.0, < 2.8.2, < 2.7.5 2.8.2, 2.7.5
262 Dependent packages
217 Dependent repositories

Affected Version Ranges

All affected versions

2.6.0, 2.6.0-M1, 2.6.0-M2, 2.6.0-M3, 2.6.0-M4, 2.6.0-M5, 2.6.0-RC1, 2.6.0-RC2, 2.6.1, 2.6.2, 2.6.3, 2.6.5, 2.6.6, 2.6.7, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20, 2.6.21, 2.6.22, 2.6.23, 2.6.24, 2.6.25, 2.7.0, 2.7.0-M1, 2.7.0-M2, 2.7.0-M3, 2.7.0-M4, 2.7.0-RC3, 2.7.0-RC4, 2.7.0-RC5, 2.7.0-RC8, 2.7.0-RC9, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.0-M1, 2.8.0-M2, 2.8.0-M3, 2.8.0-M4, 2.8.0-M5, 2.8.0-M6, 2.8.0-RC1, 2.8.0-RC2, 2.8.0-RC4, 2.8.0-RC5, 2.8.1

All unaffected versions

2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.8.19, 2.8.20, 2.8.21, 2.8.22

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

References:

Identifiers

GHSA-cf8j-64h9-6q58

CVE-2020-12480

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00036

EPSS Percentile: 0.09564

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/playframework/playframework

Date and time

Published

about 5 years ago

Updated

almost 3 years ago

API

JSON