All vulnerability reports

Potential sensitive data exposure in applications using Vaadin 15

Severity:
Low (Base score 3.1) CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Overview

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Description

The affected versions of Vaadin modify the default ObjectMapper bean in Spring to also expose private and protected properties. This can cause accidental exposure of sensitive data if the application also uses e.g. @RestController. Vaadin 15.0.5 fixes the problem by only modifying a separate ObjectMapper instance that isn't shared with other Spring functionality.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 15.0.0 - 15.0.4 Upgrade to 15.0.5 or newer version

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 3.0.0 - 3.0.5 ≥ 3.0.6

Credit

This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie).

References

History

2020-04-21: Initial vulnerability report published