CVE-2020-12480
CSRF bypass vulnerability in play_2.12 (Maven)
What is CVE-2020-12480 About?
This vulnerability is a Cross-Site Request Forgery (CSRF) bypass in Play Framework versions 2.6.0 through 2.8.1. It allows attackers to circumvent CSRF protections, leading to unauthorized actions within the affected application. Exploiting this flaw is moderately complex, requiring crafted CORS simple requests with specific content types.
Affected Software
- com.typesafe.play:play_2.12
- >2.8.0, <2.8.2
- <2.7.5
Technical Details
The CSRF filter in Play Framework versions 2.6.0 through 2.8.1 can be bypassed when processing Cross-Origin Resource Sharing (CORS) simple requests. This bypass occurs specifically when the content types of these simple requests contain parameters that the framework cannot properly parse. An attacker can craft a CORS simple request with a malformed or unusual content-type header parameter. This malformed content type causes a parsing error or an unexpected handling path within the CSRF filter, preventing it from correctly validating the request's origin or token, thereby allowing the request to proceed as if it were a legitimate, non-CSRF protected action.
What is the Impact of CVE-2020-12480?
Successful exploitation may allow attackers to perform unauthorized actions on behalf of a legitimate user, potentially leading to data manipulation, privilege escalation, or other security compromises.
What is the Exploitability of CVE-2020-12480?
Exploitation of this vulnerability requires a moderate level of technical sophistication. Attackers need to craft specific CORS simple requests with content types containing unparseable parameters. No prior authentication or specific privileges are required on the target application itself, as the bypass occurs during the initial request processing. The attack is remote, targeting the application's CSRF protection mechanism. The primary constraint is the attacker's ability to send requests from a domain that triggers the CORS mechanism and to identify content types that would lead to parsing failures within the affected Play Framework versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-12480?
Available Upgrade Options
- com.typesafe.play:play_2.12
- <2.7.5 → Upgrade to 2.7.5
- com.typesafe.play:play_2.12
- >2.8.0, <2.8.2 → Upgrade to 2.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/playframework/playframework
- https://nvd.nist.gov/vuln/detail/CVE-2020-12480
- https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass
- https://github.com/playframework/playframework/pull/10285
- https://github.com/playframework/playframework/commit/c82de44fc50b7c58c6e0580f1f67ff08aa7bd154
- https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass
- https://www.playframework.com/security/vulnerability
- https://www.playframework.com/security/vulnerability
- https://osv.dev/vulnerability/GHSA-cf8j-64h9-6q58
What are Similar Vulnerabilities to CVE-2020-12480?
Similar Vulnerabilities: CVE-2018-8086 , CVE-2017-1000454 , CVE-2015-2207 , CVE-2014-0010 , CVE-2013-4334
