Denial of service in UIDL request handler in Vaadin 7 and 8
Improper check for exceptional condition in a third party JSON handling library used in
com.vaadin:vaadin-shared versions 7.4.0 through 7.7.8 (Vaadin 7.4.0 through 7.7.8), and 8.0.0 through 8.0.5 (Vaadin 8.0.0 through 8.0.5) allows attacker to perform denial of service (DoS) attack via crafted JSON payload.
See CWE-754: Improper Check for Unusual or Exceptional Conditions, CWE-400: Uncontrolled Resource Consumption
Improper check for exceptional condition was discovered in a third party JSON handling library integrated in Vaadin Framework 7 and used as a transitive dependency in Vaadin Framework 8. By crafting an invalid JSON payload, an attacker could cause the server-side decoding logic to exhaust the entire JVM heap. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 7.4.0 - 7.7.8||Upgrade to 7.7.9 or newer 7 version|
|Vaadin 8.0.0 - 8.0.5||Upgrade to 8.0.6 or newer 8 version|
|Maven coordinates||Vulnerable version||Fixed version|
|com.vaadin:vaadin-shared||7.4.0 - 7.7.8||≥ 7.7.9|
|com.vaadin:vaadin-shared||8.0.0 - 8.0.5||≥ 8.0.6|
- 2017-05-11: Initial vulnerability report published