CVE-2020-27196 - DoS via JSON Stack Overflow
40 views
Skip to first unread message
Ignasi Marimon-Clos i Sunyol
Nov 23, 2020, 5:35:15 AM11/23/20
to play-framew...@googlegroups.com
Play body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError.
This vulnerability affects Play 2.7.0 to 2.7.5 and Play 2.8.0 to 2.8.2.
This issue is fixed on Play 2.8.3 and 2.7.6. Please upgrade as soon as possible to avoid this security issue.
For details on this vulnerability, please see the advisory on the Play website:
https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow
--
Ignasi Marimon-Clos
Senior Engineer @ Akka team
This vulnerability affects Play 2.7.0 to 2.7.5 and Play 2.8.0 to 2.8.2.
This issue is fixed on Play 2.8.3 and 2.7.6. Please upgrade as soon as possible to avoid this security issue.
For details on this vulnerability, please see the advisory on the Play website:
https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow
--
Ignasi Marimon-Clos
Senior Engineer @ Akka team
Reply all
Reply to author
Forward
0 new messages