Security
Vaadin is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This page describes Vaadin's policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
When to contact the security emergency response team
Contact the Vaadin Product Security Incident Response Team (PSIRT) by sending email to security@vaadin.com in the following situations:
- You have identified a potential security vulnerability with one of our products;
- You have identified a potential security vulnerability with one of our services.
To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using S/MIME. You can download a copy of the certificate that can be used to send encrypted email to us: security_vaadin_com.p7b.
The security@vaadin.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please use Stack Overflow or create an issue in the corresponding GitHub repository.
Vaadin PSIRT will confirm receipt of your report within three business days. We will work with internal teams to verify the finding and respond in a timely manner with an update or request for additional information.
Receiving security information from Vaadin
Technical security information about our products and services is distributed through several channels.
Vaadin distributes information to customers about security vulnerabilities via the vaadin.com/security page, GitHub security advisories (where applicable) and by email to registered users. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability though there can be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
As each security vulnerability case is different, we can take alternative actions in connection with issuing security notices. Vaadin can determine to accelerate or delay the release of a notice or not issue a notice at all. Vaadin does not guarantee that security notices will be issued for any or all security issues customers can consider significant or that notices will be issued on any specific timetable.
Security-related information can also be distributed by Vaadin to public newsgroups or electronic mailing lists. This is done on a case-by-case basis, depending on how Vaadin perceives the relevance of each notice to each particular forum.
Vaadin works with the formal incident response community to distribute information. Many company security notices are distributed by regional CSIRT at the same time that they are sent through company information distribution channels.
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Vulnerability reports
| Date | Severity | Reference | Description |
|---|---|---|---|
| 2023-06-22 | Medium | CVE-2023-25499 | Possible information disclosure in non visible components |
| 2023-06-22 | High | ADVISORY-2023-06-22 | Apache Commons FileUpload - DoS with excessive parts |
| 2023-06-22 | Low | CVE-2023-25500 | Possible information disclosure of class and method names in RPC response |
| 2022-05-24 | Medium | CVE-2022-29567 | Possible information disclosure inside TreeGrid component with default data provider |
| 2022-04-01 | Critical | ADVISORY-2022-04-01 | Spring Core Remote Code Execution via Data Binding on JDK 9+ |
| 2021-11-01 | Medium | CVE-2021-33611 | Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14 |
| 2021-10-27 | High | ADVISORY-2021-10-27 | Denial of service in third-party component in Vaadin 7 and 8 |
| 2021-10-13 | Medium | CVE-2021-33609 | Denial of service in DataCommunicator class in Vaadin 8 |
| 2021-08-24 | Medium | CVE-2021-33605 | Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20 |
| 2021-06-24 | Low | CVE-2021-33604 | Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 |
| 2021-06-24 | Medium | CVE-2021-31412 | Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 |
| 2021-05-04 | Medium | CVE-2021-31411 | Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 |
| 2021-04-30 | High | CVE-2021-31409 | Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8 |
| 2021-04-22 | High | CVE-2021-31410 | Project sources exposure in Vaadin Designer |
| 2021-04-20 | Medium | CVE-2021-31408 | Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 |
| 2021-03-29 | High | CVE-2021-31407 | Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19 |
| 2021-03-19 | Medium | CVE-2021-31406 | Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 |
| 2021-03-11 | High | CVE-2021-31405 | Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 |
| 2021-02-17 | Medium | CVE-2021-31404 | Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 |
| 2021-02-12 | Medium | CVE-2021-31403 | Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 |
| 2020-11-26 | Medium | CVE-2020-36321 | Directory traversal in development mode handler in Vaadin 14 and 15-17 |
| 2020-10-08 | High | CVE-2020-36320 | Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7 |
| 2020-04-21 | Low | CVE-2020-36319 | Potential sensitive data exposure in applications using Vaadin 15 |
| 2019-07-04 | Medium | CVE-2019-25028 | Stored cross-site scripting in Grid component in Vaadin 7 and 8 |
| 2019-05-27 | Medium | CVE-2019-25027 | Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 |
| 2018-11-29 | Low | CVE-2018-25007 | Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11 |
| 2018-11-13 | Notice | ADVISORY-2018-11-13 | Potential deserialization of untrusted data in Vaadin 7 and 8 when JMX or RMI are enabled |
| 2017-05-11 | High | ADVISORY-2017-05-11 | Denial of service in UIDL request handler in Vaadin 7 and 8 |