All vulnerability reports

Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

Severity:
Low (Base score 2.6) CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
CVE entry:
CVE-2018-25007

Overview

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and Vaadin 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

See CWE-754: Improper Check for Unusual or Exceptional Conditions

Description

Server-side element property values can be updated from the client in unexpected situations. This would allow the element property value to be updated from the client with a fake synchronization message to the server, affecting logic that reads element property values and expects those to be immutable from the client side.

The server-side value was updated only in cases where client filter was not set, meaning that read-only and disabled element property updates were blocked and not affected by this issue.

Another case where updates were not blocked was when template model had beans in a list; the properties of the beans could be updated when not desired. Any other updates for the template model were not affected by this issue.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 10.0.0 - 10.0.7 Upgrade to 10.0.8 or newer 10 version
Vaadin 11.0.0 - 11.0.2 Upgrade to 11.0.3 or newer 11 version

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 1.0.0 - 1.0.5 ≥ 1.0.6

References

History

  • 2018-11-29: Initial vulnerability report published