Vulnerabilities > Lightbend
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-12480 | Cross-Site Request Forgery (CSRF) vulnerability in Lightbend Play Framework In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed. | 4.3 |
| 2019-11-05 | CVE-2019-17598 | Inadequate Encryption Strength vulnerability in Lightbend Play Framework An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. | 4.3 |
| 2018-10-31 | CVE-2018-18854 | Resource Exhaustion vulnerability in Lightbend Spray-Json Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code). | 5.0 |
| 2018-10-31 | CVE-2018-18853 | Resource Exhaustion vulnerability in Lightbend Spray-Json Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits. | 5.0 |
| 2018-08-30 | CVE-2018-16131 | Resource Exhaustion vulnerability in Lightbend Akka Http The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. | 7.5 |
| 2018-08-29 | CVE-2018-16115 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Lightbend Akka Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. | 6.4 |
| 2018-07-17 | CVE-2018-13864 | Path Traversal vulnerability in Lightbend Play Framework A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. | 5.0 |
| 2017-12-29 | CVE-2014-3630 | XXE vulnerability in multiple products XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data. | 9.8 |
| 2017-10-18 | CVE-2015-2156 | Improper Input Validation vulnerability in multiple products Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. | 7.5 |