Play Framework Security Advisory

CSRF Content-Type black list bypass

CVE-ID

CVE-2020-12480

Date

10 August 2020

Description

In some situations, Play’s contentType.blackList for Cross-Site Request Forgery (CSRF) protection could be bypassed by sending a malformed Content-Type.

Impact

This only impacts Play applications that use Play’s built in CSRF filter, and have configured a black list of Content-Types for CSRF protection. In Play’s default configuration, a black list is not configured, rather, all requests have CSRF protection applied regardless of content types, and so this vulnerability does not impact applications that use the default configuration.

If a black list is used, the result is that a malicious user may be able to perform a CSRF attack on the Play application.

Affected versions

Fixes

This issue is fixed on Play 2.8.2 and 2.7.5. There won’t be a 2.6.x release with this fix since this version has reached end-of-life, please upgrade as soon as possible to avoid this security issue.

CVSS Metrics (more info)

Overall: 3.6
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:U

Acknowledgements

Credit for finding this vulnerability goes to Kevin Joensen from https://www.doyensec.com/.