All vulnerability reports

Possible information disclosure in non visible components

Severity:
Medium (Base score 5.7 ) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CVE entry:
CVE-2023-25499

Overview

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

See CWE-201: Insertion of Sensitive Information Into Sent Data

Description

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 10.0.0 - 10.0.22 Upgrade to 10.0.23 (Vaadin extended maintenance starting from June 26 2023)
Vaadin 11.0.0 - 14.10.0 Upgrade to 14.10.1 or newer
Vaadin 15.0.0 - 22.0.28  Upgrade to 22.1.0  (Available on demand)
Vaadin 23.0.0 - 23.3.12 Upgrade to 23.3.13 or newer
Vaadin 24.0.0 - 24.0.5 Upgrade to 24.0.6 or newer
Vaadin 24.1.0.alpha1 - 24.1.0.beta1
  • Upgrade to 24.1.0 or newer

Please note that Vaadin versions 11-13 and 15-22.0 are no longer supported and you should update either to the latest 14, 22.1, 23, 24 version.

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server   1.0.0 - 1.0.19  ≥1.0.20 
com.vaadin:flow-server   1.1.0 - 2.8.9  ≥2.8.10
com.vaadin:flow-server  3.0.0 - 9.1.0 ≥9.1.1
com.vaadin:flow-server  23.0.0 - 23.3.10 ≥23.3.11 
com.vaadin:flow-server   24.0.0 - 24.0.7 ≥24.0.8
com.vaadin:flow-server  24.1.0.alpha1 - 24.1.0.beta1 ≥24.1.0

Credit

This issue was discovered and responsibly reported by Kim Leppänen.

References

  • https://github.com/vaadin/flow/pull/15885

History

  • 2023-06-22: Initial vulnerability report published