06 Aug 2013

A vulnerability has been found in Play’s session encoding.

An attacker may inject arbitrary data into a session, by tricking Play to place a specially crafted value containing null bytes into the Play session.

Any application that places user input data into Play’s stateless session mechanism may be vulnerable.

Typically, this will impact applications that store the username in the session for authentication purposes, and will allow an attacker to identify themselves as another user.

Play 2.1.0 - 2.1.2

Play 2.0 - 2.0.5

Play 1.2 - 1.2.5

Play 1.1 - 1.1.2

Play 1.0 - 1.0.3.3

Validate that no values being placed into a session contain null bytes.

Upgrade to the appropriate version below:

CVSS metrics (more info)

Base: 6.4

AV:N/AC:L/Au:N/C:P/I:P/A:N

AV:N/AC:L/Au:N/C:P/I:P/A:N Temporal: 5.6

E:H/RL:OF/RC:C

E:H/RL:OF/RC:C Environmental: 6.8

CDP:ND/TD:H/CR:H/IR:H/AR:ND

Environmental scores are assuming typical internet systems. Actual environmental scores for your organisation may differ.

Credit for finding this vulnerability goes to the National Australia Bank Security Assurance Team.