Play Framework Security Advisory

Path traversal in Assets controller

CVE ID

CVE-2018-13864

Date

16 Jul 2018

Description

Play Assets controller was not correctly handling paths when the application was running on Windows. That was then exposing the application to a path traversal exploit.

Impact

When an application is running on Windows, it is possible to access files on the classpath stored outside the public folder, such as the conf/application.conf file.

Note that this issue only affects Windows, it does not affect Linux.

Affected versions

Versions prior to 2.6.12, including 2.5.x and earlier, are not affected by this vulnerability.

Fixes

This issue is fixed in Play 2.6.16.

CVSS metrics (more info)

Overall: 6.7
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Acknowledgements

Credit for finding this vulnerability goes to the Qihoo360 Redteam.