JSON parse Data Amplification
1 October 2020
Carefully crafted JSON payloads sent as a form field lead to Data Amplification.
Affects users that accept JSON as a field of a Form upload (multipart/form-data).
- Play 2.8.0-2.8.2
- Play 2.7.0-2.7.5
- Play 2.6.x
This issue is fixed on Play 2.8.3 and 2.7.6. There won’t be a 2.6.x release with this fix since this version has reached end-of-support, please upgrade as soon as possible to avoid this security issue.
CVSS Metrics (more info)
Credit for finding this vulnerability goes to The Gemini Security Team, Doyensec and @lucash-dev.