Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Vulnerability in OSGi integration in
com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
This vulnerability only applies to Vaadin OSGi applications in the aforementioned versions. The vulnerability is the outcome of the combination of the default behavior of the Http Whiteboard specification in OSGi and the static resources handling of
- The HTTP Whiteboard specification in OSGi works in a way that all resources inside a bundle/jar are available via the
ServletContextclass for any Servlet that is registered inside that bundle/jar. This is expected behavior of the Http Whiteboard specification in OSGi.
VaadinServletclass exposes all resources available in the
ServletContextto be accessed via HTTP (by actions of class
VaadinServlet is registered using the Http Whiteboard, it by default exposes all resources available in the
ServletContext of the bundle/jar to be accessible via the browser, as long as the request directly comes for the exact URL of the resource. This only applies to the resources within the same bundle as the servlet - resources from other bundles are not accessible as those are not exposed via
ServletContext by Http Whiteboard. In non-OSGi Vaadin applications, the
ServletContext does not provide access to resources similarly as is done with Vaadin OSGi applications.
In practice this means that any Java class or a static resource that is part of the same bundle as the registered servlet can be requested from the browser by using the correct request URL corresponding to that resource. To exploit the vulnerability, one has to, by minimum, know an entry point to the system that might provide further information on the resources that are accessible.
To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.
One can test if their Vaadin OSGi application is affected by trying to access class files or static resources via the browser.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 12 - 13||No longer supported. Upgrade to 14.4.10 or newer 14 version|
|Vaadin 14.0.0 - 14.4.9||Upgrade to 14.4.10 or newer 14 version|
|Vaadin 19.0.0||Upgrade to 19.0.1 or newer 19 version|
Please note that Vaadin versions 12-13 are no longer supported and you should update to the latest 14 version.
|Maven coordinates||Vulnerable version||Fixed version|
|com.vaadin:flow-server||1.2.0 - 2.4.7||≥ 2.4.8|
|com.vaadin:flow-server||6.0.0 - 6.0.1||≥ 6.0.2|
2021-03-29: Initial vulnerability report published