Miggo Logo
Miggo Vulnerability Database
CVE-2020-12480

CVE-2020-12480: CSRF in Play Framework

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-12480
GHSA ID
GHSA-cf8j-64h9-6q58
EPSS Score
0.062%
CWE
CWE-352
Published
8/18/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.typesafe.play:play_2.12maven< 2.7.52.7.5
com.typesafe.play:play_2.12maven>= 2.8.0, < 2.8.22.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of invalid Content-Type headers in CSRF protection logic. The patch added 'hasInvalidContentType' checks and modified conditional logic in multiple locations. The original vulnerable functions failed to account for: 1) Requests with unparseable Content-Type headers that would return contentType.isEmpty 2) The distinction between header presence vs valid parsing. This allowed attackers to craft requests with malformed Content-Type parameters to bypass blacklist-based CSRF protection. The functions handling CSRF check decisions (call, apply, requiresCsrfCheck) were directly modified in the security patch, indicating they contained the flawed logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Pl*y *r*m*work *.*.* t*rou** *.*.*, t** *SR* *ilt*r **n ** *yp*ss** *y m*kin* *ORS simpl* r*qu*sts wit* *ont*nt typ*s t**t *ont*in p*r*m*t*rs t**t **n't ** p*rs**.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* inv*li* *ont*nt-Typ* *****rs in *SR* prot**tion lo*i*. T** p*t** ***** '**sInv*li**ont*ntTyp*' ****ks *n* mo*i*i** *on*ition*l lo*i* in multipl* lo**tions. T** ori*in*l vuln*r**l* *un*tions **il** t