Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the Form#bindFromRequest method on a JSON request body or the Form#bind method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON …
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 is vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its DefaultHttpErrorHandler to do so based on the application mode. In its Scala API Play also provides a static object DefaultHttpErrorHandler that is …
An issue was discovered in Play Framework Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play that used the Play Java API to serialize classes with protected or private fields to JSON.
In Play Framework, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.
In Play Framework, data amplification can occur when an application accepts multipart/form-data JSON input.
The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.
An issue was discovered in Lightbend Play Framework. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.
A directory traversal vulnerability has been found in the Assets controller in the Play Framework. When running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.