Vulnerabilities > Lightbend

DATE CVE VULNERABILITY TITLE RISK
2020-08-17 CVE-2020-12480 Cross-Site Request Forgery (CSRF) vulnerability in Lightbend Play Framework
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
network
low complexity
lightbend CWE-352
6.5
2019-11-05 CVE-2019-17598 Inadequate Encryption Strength vulnerability in Lightbend Play Framework
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23.
network
low complexity
lightbend CWE-326
7.5
2018-10-31 CVE-2018-18854 Resource Exhaustion vulnerability in Lightbend Spray-Json
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).
network
low complexity
lightbend CWE-400
7.5
2018-10-31 CVE-2018-18853 Resource Exhaustion vulnerability in Lightbend Spray-Json
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.
network
low complexity
lightbend CWE-400
7.5
2018-08-30 CVE-2018-16131 Resource Exhaustion vulnerability in Lightbend Akka Http
The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb.
network
low complexity
lightbend CWE-400
7.5
2018-08-29 CVE-2018-16115 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Lightbend Akka
Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error.
network
low complexity
lightbend CWE-338
critical
9.1
2018-07-17 CVE-2018-13864 Path Traversal vulnerability in Lightbend Play Framework
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows.
network
low complexity
lightbend CWE-22
7.5
2017-12-29 CVE-2014-3630 XXE vulnerability in multiple products
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
network
low complexity
playframework lightbend CWE-611
critical
9.8
2017-10-18 CVE-2015-2156 Improper Input Validation vulnerability in multiple products
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
network
low complexity
netty playframework lightbend CWE-20
7.5