CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-12480
https://notcve.org/view.php?id=CVE-2020-12480
17 Aug 2020 — In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed. En Play Framework versiones 2.6.0 hasta 2.8.1, el filtro CSRF puede ser omitido al hacer peticiones simples CORS con tipos de contenido que contienen parámetros que no pueden ser analizados. • https://www.playframework.com/security/vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17598
https://notcve.org/view.php?id=CVE-2019-17598
05 Nov 2019 — An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host. Se descubrió un problema en Lightbend Play Framework versiones 2.5.x hasta la versión 2.6.23. Cuando es configurado para realizar peticiones utilizando un proxy HTTP autenticado, play-ws puede algunas veces, generalmente bajo... • https://www.playframework.com/security/vulnerability • CWE-326: Inadequate Encryption Strength •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18853
https://notcve.org/view.php?id=CVE-2018-18853
31 Oct 2018 — Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits. Lightbend Spray spray-json hasta la versión 1.3.4 permite que atacantes remotos provoquen una denegación de servicio (consumo de recursos) debido a la complejidad de un algoritmo durante el análisis de un campo compuesto por muchos dígitos decimales. • https://github.com/spray/spray-json/issues/278 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18854
https://notcve.org/view.php?id=CVE-2018-18854
31 Oct 2018 — Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code). Lightbend Spray spray-json hasta la versión 1.3.4 permite que atacantes remotos provoquen una denegación de servicio (consumo de recursos) debido a la complejidad de un algoritmo durante el análisis de muchos campos de objeto JSON (con claves que tienen el mismo código de ... • https://github.com/spray/spray-json/issues/277 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2018-16131
https://notcve.org/view.php?id=CVE-2018-16131
30 Aug 2018 — The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. Las directivas decodeRequest y decodeRequestWith en Lightbend Akka HTTP, desde las versiones 10.1.x hasta la 10.1.4 y versiones 10.0.x hasta la 10.0.13 permiten que atacantes remotos provoquen una denegación de servicio (consumo de memoria y cierre inesperado del demonio) mediante u... • https://akka.io/blog/news/2018/08/30/akka-http-dos-vulnerability-found • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16115
https://notcve.org/view.php?id=CVE-2018-16115
29 Aug 2018 — Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. • https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 1CVE-2018-13864
https://notcve.org/view.php?id=CVE-2018-13864
17 Jul 2018 — A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests. Se ha encontrado una vulnerabilidad de salto de directorio en el controlador Assets en Play Framework desde la versión 2.6.12 hasta la 2.6.15 (solucionado en la 2.6.16) al ejecutarse en Windows. Permite que un atacante remoto descargue a... • https://github.com/tafamace/CVE-2018-13864 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 0CVE-2014-3630
https://notcve.org/view.php?id=CVE-2014-3630
29 Dec 2017 — XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data. Vulnerabilidad de XEE (XML External Entity) en la funcionalidad de procesamiento de Java XML en Play, en versiones anteriores a la 2.2.6 y versiones 2.3.x anteriores a la 2.3.5, podría permitir a atacantes remotos leer archivos arbitrarios, provocar u... • https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 3%CPEs: 110EXPL: 0CVE-2015-2156
https://notcve.org/view.php?id=CVE-2015-2156
18 Oct 2017 — Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Netty en versiones anteriores a la 3.9.8.Final, 3.10.x anteriores a la 3.10.3.Final, 4.0.x anteriores a la 4.0.28.Final y 4.1.x anteriores a la 4.1.0.Beta5 y Play Framework 2.x en versiones ante... • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html • CWE-20: Improper Input Validation •