Security

Vaadin is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This page describes Vaadin's policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

When to contact the security emergency response team

Contact the Vaadin Product Security Incident Response Team (PSIRT) by sending email to security@vaadin.com in the following situations:

  • You have identified a potential security vulnerability with one of our products;
  • You have identified a potential security vulnerability with one of our services.

To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using S/MIME. A copy of the certificate that can be used to send encrypted email can be downloaded here.

The security@vaadin.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please use Vaadin Forum or create an issue in the corresponding GitHub repository.

Vaadin PSIRT will confirm receipt of your report within three business days. We will work with internal teams to verify the finding and respond in a timely manner with an update or request for additional information.

Receiving security information from Vaadin

Technical security information about our products and services is distributed through several channels.

  • Vaadin distributes information to customers about security vulnerabilities via the vaadin.com/security page, GitHub security advisories (where applicable) and by email to registered users. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.

    As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. Vaadin can determine to accelerate or delay the release of a notice or not issue a notice at all. Vaadin does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.

  • Security-related information can also be distributed by Vaadin to public newsgroups or electronic mailing lists. This is done on a case-by-case basis, depending on how Vaadin perceives the relevance of each notice to each particular forum.

  • Vaadin works with the formal incident response community to distribute information. Many company security notices are distributed by regional CSIRT at the same time that they are sent through company information distribution channels.

All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

Vulnerability reports

Date Severity Reference Description
2021-03-29 High ADVISORY-2021-03-29 Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
2021-03-19 Medium ADVISORY-2021-03-19 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
2021-03-11 High ADVISORY-2021-03-11 Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
2021-02-17 Medium ADVISORY-2021-02-17 Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
2021-02-12 Medium ADVISORY-2021-02-12 Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
2020-11-26 Low ADVISORY-2020-11-26 Directory traversal in development mode handler in Vaadin 14 and 15-17
2020-10-08 High ADVISORY-2020-10-08 Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7
2020-04-21 Low ADVISORY-2020-04-21 Potential sensitive data exposure in applications using Vaadin 15
2019-07-04 Medium ADVISORY-2019-07-04 Stored cross-site scripting in Grid component in Vaadin 7 and 8
2019-05-27 Medium ADVISORY-2019-05-27 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
2018-11-29 Low ADVISORY-2018-11-29 Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
2018-11-13 Notice ADVISORY-2018-11-13 Potential deserialization of untrusted data in Vaadin 7 and 8 when JMX or RMI are enabled
2017-05-11 High ADVISORY-2017-05-11 Denial of service in UIDL request handler in Vaadin 7 and 8