Improper Vary header handling in CORS filter
5 Oct 2017
Play’s CORS filter will overwrite the
Vary header in certain configurations, which in some circumstances can cause cache poisoning. This could expose sensitive information to unauthorized users.
When the CORS filter is used to match against a specific set of origins (as opposed to allowing any origin), it adds the
Vary: Origin header in the response. In doing so it also overwrites any existing values for the
Vary header, making the application vulnerable to cache poisoning.
This only impacts applications that set
Vary headers in actions filtered by the CORS filter.
- Play 2.6.0-2.6.5 (fixed in 2.6.6)
- Play 2.4.0-2.5.17 (fixed in 2.5.18)
Disable the CORS filter (if it is not needed) or disable caching completely (
Cache-Control: no-cache) for any pages that depend on additional headers being added to
This issue is fixed in Play 2.6.6 and Play 2.5.18.