Play Framework Security Advisory

Http only cookie bypass

CVE ID

CVE-2015-2156

Date

09 May 2015

Description

A vulnerability has been found in Play’s cookie handling code that could allow an attacker to bypass the httpOnly flag on sensitive cookies.

Impact

Any Play apps that reflect cookie values back into the body of a response are vulnerable to this. One example of when this might be a case is if using Play’s CSRF support with csrf.cookie.name configured, such that Play stores the csrf token in a cookie rather than the default of storing it in the session.

Affected Versions

• Play 2.0 - 2.3.8

Workarounds

Upgrade to netty 3.9.8. For example:

libraryDependencies += "io.netty" % "netty" % "3.9.8.Final"

Fixes

The issue has been fixed in Play 2.3.9.

CVSS metrics (more info)

• Base: 4.0
  AV:N/AC:H/Au:N/C:P/I:P/A:N
• Temporal: 3.1
  E:POC/RL:OF/RC:C
• Environmental: 1.1
  CDP:ND/TD:L/CR:H/IR:H/AR:ND
  Environmental scores are assuming typical internet systems. Actual environmental scores for your organisation may differ.

Acknowledgements

Credit for finding this vulnerability goes to Roman Shafigullin, Luca Carettoni and Mukul Khullar from LinkedIn.