Play Framework Http Only Cookie Bypass Vulnerability
209 views
Skip to first unread message
James Roper
May 8, 2015, 10:01:19 PM5/8/15
to play-framew...@googlegroups.com
A security vulnerability has been found in all versions of Play Framework up to and including 2.3.8. It affects applications that reflect cookie values back in HTML pages, for example, applications using Play’s CSRF support configured to store the CSRF token in a cookie (the default behavior is to store the token in the session).
This vulnerability has been fixed in Play 2.3.9, and workarounds have been published for other major versions of Play.
The Play team recommends that all Play users assess their application to see if they are reflecting cookies back in HTML pages, and if they are, upgrade to Play 2.3.9.
For details on this vulnerability, including the workarounds, please see the vulnerability advisory on the Play website:
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Regards,
--
This vulnerability has been fixed in Play 2.3.9, and workarounds have been published for other major versions of Play.
The Play team recommends that all Play users assess their application to see if they are reflecting cookies back in HTML pages, and if they are, upgrade to Play 2.3.9.
For details on this vulnerability, including the workarounds, please see the vulnerability advisory on the Play website:
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Regards,
--
Reply all
Reply to author
Forward
0 new messages