All vulnerability reports

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Severity:
High (Base score 8.6) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Overview

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

See CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')

Description

This vulnerability only applies to Vaadin OSGi applications in the aforementioned versions. The vulnerability is the outcome of the combination of the default behavior of the Http Whiteboard specification in OSGi and the static resources handling of VaadinServlet:

  1. The HTTP Whiteboard specification in OSGi works in a way that all resources inside a bundle/jar are available via the ServletContext class for any Servlet that is registered inside that bundle/jar. This is expected behavior of the Http Whiteboard specification in OSGi.
  2. The VaadinServlet class exposes all resources available in the ServletContext to be accessed via HTTP (by actions of class StaticFileServer).

When a VaadinServlet is registered using the Http Whiteboard, it by default exposes all resources available in the ServletContext of the bundle/jar to be accessible via the browser, as long as the request directly comes for the exact URL of the resource. This only applies to the resources within the same bundle as the servlet - resources from other bundles are not accessible as those are not exposed via ServletContext by Http Whiteboard. In non-OSGi Vaadin applications, the ServletContext does not provide access to resources similarly as is done with Vaadin OSGi applications.

In practice this means that any Java class or a static resource that is part of the same bundle as the registered servlet can be requested from the browser by using the correct request URL corresponding to that resource. To exploit the vulnerability, one has to, by minimum, know an entry point to the system that might provide further information on the resources that are accessible.

To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.
One can test if their Vaadin OSGi application is affected by trying to access class files or static resources via the browser.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 12 - 13 No longer supported. Upgrade to 14.4.10 or newer 14 version
Vaadin 14.0.0 - 14.4.9 Upgrade to 14.4.10 or newer 14 version
Vaadin 19.0.0 Upgrade to 19.0.1 or newer 19 version

Please note that Vaadin versions 12-13 are no longer supported and you should update to the latest 14 version.

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 1.2.0 - 2.4.7 ≥ 2.4.8
com.vaadin:flow-server 6.0.0 - 6.0.1 ≥ 6.0.2

References

History

2021-03-29: Initial vulnerability report published