PT-2020-13139 · Lightbend · Play Framework

Kevin Joensen

Published

2020-08-17

Updated

2020-08-24

CVE-2020-12480

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Play Framework versions 2.6.0 through 2.8.1

Description The issue allows the CSRF filter to be bypassed by making CORS simple requests with content types that contain parameters that cannot be parsed.

Recommendations For Play Framework versions 2.6.0 through 2.8.1, consider updating the CSRF filter configuration to handle unparseable content type parameters or restrict access to the affected CORS endpoints until a patch is available.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2020-12480

GHSA-CF8J-64H9-6Q58

Affected Products

Play Framework

PT-2020-13139 · Lightbend · Play Framework

CVE-2020-12480

Weakness Enumeration

Related Identifiers

Affected Products

References · 8