JSON parse Data Amplification
CVE-ID
CVE-2020-26882
Date
1 October 2020
Description
Carefully crafted JSON payloads sent as a form field lead to Data Amplification.
Impact
Affects users that accept JSON as a field of a Form upload (multipart/form-data).
Affected versions
- Play 2.8.0-2.8.2
- Play 2.7.0-2.7.5
- Play 2.6.x
Fixes
This issue is fixed on Play 2.8.3 and 2.7.6. There won’t be a 2.6.x release with this fix since this version has reached end-of-support, please upgrade as soon as possible to avoid this security issue.
CVSS Metrics (more info)
Overall: 6.7
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Acknowledgements
Credit for finding this vulnerability goes to The Gemini Security Team, Doyensec and @lucash-dev.