playframework.org
External Program
Submit bugs directly to this organization
External Program
Submit bugs directly to this organization
The best way to receive any and all security announcements is to subscribe to the [//groups.google.com/forum/#!forum/play-framework-security](Play security list).
The mailing list is very low traffic, and receives notifications only after Security reports have been managed by the core team and fixes are publicly available.
We strongly encourage people to report such problems to our private security mailing list first, before disclosing them in a public forum.
All security bugs in Play should be reported by email to mailto:[email protected]. This list is delivered to a subset of the core team who handle security issues.
//github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w - Denial of service when binding forms from JSON
//github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh - Dev error stack trace leaking into prod
[/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification](CVE-2020-26882-JsonParseDataAmplification ) - JSON parse Data Amplification
[/security/vulnerability/CVE-2020-26883-JsonParseUncontrolledRecursion](CVE-2020-26883-JsonParseUncontrolledRecursion) - JSON parse Uncontrolled Recursion
[/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow](CVE-2020-27196-DosViaJsonStackOverflow) - DoS via JSON parse Stack Overflow
[/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass](CVE-2020-12480-CsrfBlacklistBypass) - Play CSRF Filter Content-Type black list bypass
[/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification](CVE-2020-26882-JsonParseDataAmplification) - JSON parse Data Amplification
[/security/vulnerability/CVE-2020-26883-JsonParseUncontrolledRecursion](CVE-2020-26883-JsonParseUncontrolledRecursion) - JSON parse Uncontrolled Recursion
[/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow](CVE-2020-27196-DosViaJsonStackOverflow) - DoS via JSON parse Stack Overflow
[/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass](CVE-2020-12480-CsrfBlacklistBypass) - Play CSRF Filter Content-Type black list bypass
[/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders](CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders) - Play-WS sending HTTP CONNECT including authorizing headers to target host
[/security/vulnerability/CVE-2018-13864-PathTraversal](CVE-2018-13864-PathTraversal) - Path traversal in Assets controller
/security/vulnerability/20171005-CorsVaryHeader - improper Vary header handling in CORS filter
/security/vulnerability/20170828-InvalidUriParsing - AsyncHttpClient and Play WS URI parsing vulnerability
/security/vulnerability/20171005-CorsVaryHeader - improper Vary header handling in CORS filter
/security/vulnerability/20170407-LogbackDeser - Java Deserialization vulnerability in Logback SocketAppender
/security/vulnerability/20170120-WSOAuthDoS - WS OAuth Denial of Service
/security/vulnerability/20160304-CsrfBypass - CSRF Bypass
/security/vulnerability/20160622-JavaScriptRouterXSS - JavaScript router XSS
[/security/vulnerability/CVE-2015-2156-HttpOnlyBypass](CVE-2015-2156-HttpOnlyBypass) - Http only cookie bypass
[/security/vulnerability/CVE-2014-3630-XmlExternalEntity](CVE-2014-3630-XmlExternalEntity) - XML external entity vulnerability
[/security/vulnerability/CVE-2014-3630-XmlExternalEntity](CVE-2014-3630-XmlExternalEntity) - XML external entity vulnerability
/security/vulnerability/20130920-XmlExternalEntity - XML external entity vulnerability
/security/vulnerability/20130911-XmlExternalEntity - XML external entity vulnerability
/security/vulnerability/20130806-SessionInjection - Session injection vulnerability
/security/vulnerability/20130920-XmlExternalEntity - XML external entity vulnerability
/security/vulnerability/20130911-XmlExternalEntity - XML external entity vulnerability
/security/vulnerability/20130806-SessionInjection - Session injection vulnerability
/security/vulnerability/20160301-XssSecureModule - XSS vulnerability in the Secure module login page
/security/vulnerability/20151230-SessionHijack - Session Hijack vulnerability
/security/vulnerability/20160301-XssSecureModule - XSS vulnerability in the Secure module login page
/security/vulnerability/20151230-SessionHijack - Session Hijack vulnerability
/security/vulnerability/20150506-XssUrlParamerter - XSS url parameter vulnerability
/security/vulnerability/20150506-XssUrlParamerter - XSS url parameter vulnerability