{"containers": {"cna": {"affected": [{"product": "playframework", "vendor": "playframework", "versions": [{"status": "affected", "version": ">= 2.8.3, < 2.8.16"}]}], "descriptions": [{"lang": "en", "value": "Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled\u2014as it is by default\u2014then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary. As a workaround, applications that do not need to parse a request body of type `application/json` can switch from the default body parser to another body parser that supports only the specific type of body they expect."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-02T16:45:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/playframework/playframework/pull/11301"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"}], "source": {"advisory": "GHSA-v8x6-59g4-5g3w", "discovery": "UNKNOWN"}, "title": "Denial of service binding form from JSON in Play Framework", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31018", "STATE": "PUBLIC", "TITLE": "Denial of service binding form from JSON in Play Framework"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "playframework", "version": {"version_data": [{"version_value": ">= 2.8.3, < 2.8.16"}]}}]}, "vendor_name": "playframework"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled\u2014as it is by default\u2014then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary. As a workaround, applications that do not need to parse a request body of type `application/json` can switch from the default body parser to another body parser that supports only the specific type of body they expect."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w", "refsource": "CONFIRM", "url": "https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w"}, {"name": "https://github.com/playframework/playframework/pull/11301", "refsource": "MISC", "url": "https://github.com/playframework/playframework/pull/11301"}, {"name": "https://github.com/playframework/playframework/releases/tag/2.8.16", "refsource": "MISC", "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"}]}, "source": {"advisory": "GHSA-v8x6-59g4-5g3w", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31018", "datePublished": "2022-06-02T16:45:13", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2022-06-02T16:45:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lightbend:play_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BBDB71E-9591-43F8-B82A-139C92ADDAA4", "versionEndIncluding": "2.8.15", "versionStartIncluding": "2.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled\u2014as it is by default\u2014then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary. As a workaround, applications that do not need to parse a request body of type `application/json` can switch from the default body parser to another body parser that supports only the specific type of body they expect."}, {"lang": "es", "value": "Play Framework es un framework web para Java y Scala. Se ha detectado una vulnerabilidad de denegaci\u00f3n de servicio en las versiones 2.8.3 a 2.8.15 de la biblioteca de formularios de Play, tanto en la API de Scala como en la de Java. Esto puede ocurrir cuando es usado el m\u00e9todo \"Form#bindFromRequest\" sobre un cuerpo de petici\u00f3n JSON o el m\u00e9todo \"Form#bind\" directamente sobre un valor JSON. Si los datos JSON que son vinculados al formulario contienen un objeto JSON anidado profundamente o un array, la implementaci\u00f3n de la vinculaci\u00f3n del formulario puede consumir todo el espacio disponible en la pila y causar un \"OutOfMemoryError\". Si es ejecutado en el despachador por defecto y \"akka.jvm-exit-on-fatal-error\" est\u00e1 habilitado -como lo est\u00e1 por defecto- entonces esto puede bloquear el proceso de la aplicaci\u00f3n. \"Form.bindFromRequest\" es vulnerable cuando es usado cualquier analizador de cuerpo que produce un tipo de \"AnyContent\" o \"JsValue\" en Scala, o uno que puede producir un \"JsonNode\" en Java. Esto incluye el analizador de cuerpos por defecto de Play. Esta vulnerabilidad ha sido parcheada en versi\u00f3n 2.8.16. Ahora se presenta un l\u00edmite global en la profundidad de un objeto JSON que puede ser analizado, que puede ser configurado por el usuario si es necesario. Como mitigaci\u00f3n, las aplicaciones que no necesiten analizar un cuerpo de petici\u00f3n de tipo \"application/json\" pueden cambiar el analizador de cuerpos por defecto por otro que s\u00f3lo soporte el tipo de cuerpo espec\u00edfico que esperan"}], "id": "CVE-2022-31018", "lastModified": "2022-06-13T12:26:58.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-06-02T17:15:07.617", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/playframework/playframework/pull/11301"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/playframework/playframework/releases/tag/2.8.16"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/playframework/playframework/security/advisories/GHSA-v8x6-59g4-5g3w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}