Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

See CWE-1295: Debug Messages Revealing Unnecessary Information

Description

The vulnerability exposes a list of all the registered route paths of the application, even in production mode, in case the application is using the default RouteNotFoundError view instead of providing their own error view. Exposed route list allows threat actors to refine attack surface and perform targeted scanning of views. In the worst case can it can even reveal insecure views that are intended for internal use and are missing proper access control checks or other security measures.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Please note that Vaadin versions 11-13 and 15-18 are no longer supported and you should update either to the latest 14 or 19 version respectively.

Artifacts

References

• PR: https://github.com/vaadin/flow/pull/11107