Base Score

LOW2.7

CVE-2020-28923

An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.

VectorNETWORK

Published Bycve@mitre.org

Published DateDec 03, 2020, 17:15

Affected Versions(1)

com.typesafe.play:play(Maven)

Introduced2.8.0

Fixed2.8.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.typesafe.play:play(Maven)	2.8.0	2.8.5	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

2.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

LOW2.7

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

2.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE