CVE-2020-12480 - CSRF Content-Type black list bypass
72 views
Skip to first unread message
James Roper
Aug 16, 2020, 9:40:27 PM8/16/20
to play-framew...@googlegroups.com
A vulnerability has been found in Play Framework's CSRF filter. If being used with a Content-Type blacklist (non default configuration), in certain situations, an attacker may be able to bypass the blacklist, by submitting a badly formed content type header.
This affects Play 2.6.x, 2.7.0-2.7.4, and 2.8.0-2.8.1. It is fixed in Play 2.7.5 and 2.8.2.
For details on this vulnerability, please see the advisory on the Play website:
This affects Play 2.6.x, 2.7.0-2.7.4, and 2.8.0-2.8.1. It is fixed in Play 2.7.5 and 2.8.2.
For details on this vulnerability, please see the advisory on the Play website:
https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass
--
I'm stuck in an email signature factory, please send help!
I'm stuck in an email signature factory, please send help!
Reply all
Reply to author
Forward
0 new messages