com.typesafe.play:play_2.12@2.8.9 vulnerabilities

  • latest version

    2.8.22

  • latest non vulnerable version

  • first published

    7 years ago

  • latest version published

    6 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the com.typesafe.play:play_2.12 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Information Exposure

    com.typesafe.play:play_2.12 is a library for building scalable web applications with Java and Scala.

    Affected versions of this package are vulnerable to Information Exposure due to the generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its DefaultHttpErrorHandler to do so based on the application mode. Its Scala API Play also provides a static object DefaultHttpErrorHandler configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the DefaultHttpErrorHandler object instance as the injected error handler. Both of these situations could result in verbose errors displayed to users in a production application, which could expose sensitive information from the application. In particular, the constructor for CORSFilter and apply method for CORSActionBuilder use the static object DefaultHttpErrorHandler as a default value.

    How to fix Information Exposure?

    Upgrade com.typesafe.play:play_2.12 to version 2.8.16 or higher.

    [,2.8.16)
    • H
    Denial of Service (DoS)

    com.typesafe.play:play_2.12 is a library for building scalable web applications with Java and Scala.

    Affected versions of this package are vulnerable to Denial of Service (DoS) which can occur when using either the Form#bindFromRequest method on a JSON request body or the Form#bind method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an OutOfMemoryError. If executing on the default dispatcher and akka.jvm-exit-on-fatal-error is enabled—as it is by default—then this can crash the application process. Form.bindFromRequest is vulnerable when using any body parser that produces a type of AnyContent or JsValue in Scala, or one that can produce a JsonNode in Java. This includes Play's default body parser.

    How to fix Denial of Service (DoS)?

    Upgrade com.typesafe.play:play_2.12 to version 2.8.16 or higher.

    [2.8.3,2.8.16)