Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
The affected versions of Vaadin modify the default ObjectMapper bean in Spring to also expose private and protected properties. This can cause accidental exposure of sensitive data if the application also uses e.g. @RestController. Vaadin 15.0.5 fixes the problem by only modifying a separate ObjectMapper instance that isn't shared with other Spring functionality.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: