Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Description
The affected versions of Vaadin modify the default ObjectMapper bean in Spring to also expose private and protected properties. This can cause accidental exposure of sensitive data if the application also uses e.g. @RestController. Vaadin 15.0.5 fixes the problem by only modifying a separate ObjectMapper instance that isn't shared with other Spring functionality.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 15.0.0 - 15.0.4 |
Upgrade to 15.0.5 or newer version |
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-server |
3.0.0 - 3.0.5 |
≥ 3.0.6 |
Credit
This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie).
References