30 Dec 2015
A vulnerability has been found in Play 1’s session handling.
It is possible by a 3rd-party to acquire session information for another in-progress request.
Any application that uses the session in the processing of a 500 error page is vulnerable to attack.
- Play 1.4.0
- Play 1.3.0 - 1.3.2
- Play 1.2.6 - 22.214.171.124
- Play 1.0 - 126.96.36.199
Do not use the session when generating a 500 error page.
Upgrade to the appropriate version below:
Credit for finding this vulnerability goes to Codeborne.