GHSA-h48w-c35p-6m8x

Suggest an improvement
Source
https://github.com/advisories/GHSA-h48w-c35p-6m8x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-h48w-c35p-6m8x/GHSA-h48w-c35p-6m8x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h48w-c35p-6m8x
Aliases
Published
2022-02-10T20:23:25Z
Modified
2023-11-08T04:03:21.011390Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Out-of-bounds Write in Play Framework
Details

An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

References

Affected packages

Maven / com.typesafe.play:play

Package

Name
com.typesafe.play:play
View open source insights on deps.dev
Purl
pkg:maven/com.typesafe.play/play

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.0
Fixed
2.7.6

Maven / com.typesafe.play:play

Package

Name
com.typesafe.play:play
View open source insights on deps.dev
Purl
pkg:maven/com.typesafe.play/play

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.3

Maven / com.typesafe.play:play-java

Package

Name
com.typesafe.play:play-java
View open source insights on deps.dev
Purl
pkg:maven/com.typesafe.play/play-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.0
Fixed
2.7.6

Maven / com.typesafe.play:play-java

Package

Name
com.typesafe.play:play-java
View open source insights on deps.dev
Purl
pkg:maven/com.typesafe.play/play-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.3