Path traversal in Assets controller
16 Jul 2018
Play Assets controller was not correctly handling paths when the application was running on Windows. That was then exposing the application to a path traversal exploit.
When an application is running on Windows, it is possible to access files on the classpath stored outside the
public folder, such as the
Note that this issue only affects Windows, it does not affect Linux.
- Play 2.6.12-2.6.15
Versions prior to 2.6.12, including 2.5.x and earlier, are not affected by this vulnerability.
This issue is fixed in Play 2.6.16.
CVSS metrics (more info)
Credit for finding this vulnerability goes to the Qihoo360 Redteam.