Описание
CSRF in Play Framework
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-12480
- https://github.com/playframework/playframework/pull/10285
- https://github.com/playframework/playframework/commit/c82de44fc50b7c58c6e0580f1f67ff08aa7bd154
- https://www.playframework.com/security/vulnerability
- https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass
Пакеты
Наименование
com.typesafe.play:play_2.12
maven
Затронутые версииВерсия исправления
< 2.7.5
2.7.5
Наименование
com.typesafe.play:play_2.12
maven
Затронутые версииВерсия исправления
>= 2.8.0, < 2.8.2
2.8.2
Связанные уязвимости
CVSS3: 6.5
nvd
больше 5 лет назад
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.