Denial of service in third-party component in Vaadin 7 and 8
Improper check for exceptional condition in a third party HTML handling library used in
com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 (Vaadin 7.0.0 through 7.7.27) and 8.0.0 through 8.13.3 (Vaadin 8.0.0 through Vaadin 8.13.3) allows network attackers to cause denial of service via unspecified vectors.
Improper check for exceptional condition was discovered in a third party HTML handling library
org.jsoup:jsoup used as a transitive dependency in Vaadin 7 and 8 for sanitizing HTML. By crafting a invalid HTML input, an attacker could cause the server-side parsing logic to get stuck (loop indefinitely until cancelled) or to complete more slowly than usual. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 7.0.0 - 7.7.27||Upgrade to 7.7.28 or newer 7 version (Vaadin 7 extended maintenance)|
|Vaadin 8.0.0 - 8.13.3||Upgrade to 8.14.0 or newer 8 version|
Please note that updating to Vaadin 7 is only available to extended-support customers.
|Maven coordinates||Vulnerable version||Fixed version|
|com.vaadin:vaadin-server||7.0.0 - 7.7.27||≥ 7.7.28|
|com.vaadin:vaadin-server||8.0.0 - 8.13.3||≥ 8.14.0|
- 2021-10-27: Initial vulnerability report published