Play Framework Session Injection Security Vulnerability

916 views

Skip to first unread message

James Roper

unread,

Aug 6, 2013, 9:16:56 AM8/6/13

to play-framew...@googlegroups.com

A security vulnerability has been found in all stable versions of Play Framework released before August 6th 2013. The vulnerability allows an attacker to inject arbitrary keys and values into their own session. Applications that use the session for authentication may be susceptible to the attacker being able to log in as any user.

This vulnerability has been fixed for all major stable versions of Play, and fixes can be downloaded here:

http://downloads.typesafe.com/play/2.1.3/play-2.1.3.zip

http://downloads.typesafe.com/play/2.0.6/play-2.0.6.zip

http://downloads.typesafe.com/play/1.2.6/play-1.2.6.zip

The Play team strongly recommends that anyone using Play sessions upgrade to one of the above releases of Play.

For more details on this vulnerability, please see the vulnerability advisory on the Play website:

http://www.playframework.com/security/vulnerability/20130806-SessionInjection

Regards,

James Roper
Software Engineer

Typesafe – Build reactive apps!
Twitter: @jroper

Reply all

Reply to author

Forward

0 new messages