Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Improper sanitization of path in default
RouteNotFoundError view in
com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for
NotFoundException is provided.
See CWE-1295: Debug Messages Revealing Unnecessary Information
The vulnerability exposes a list of all the registered route paths of the application, even in production mode, in case the application is using the default
RouteNotFoundError view instead of providing their own error view. Exposed route list allows threat actors to refine attack surface and perform targeted scanning of views. In the worst case can it can even reveal insecure views that are intended for internal use and are missing proper access control checks or other security measures.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 10.0.0 - 10.0.18||Upgrade to 10.0.19 or newer 10 version|
|Vaadin 11 - 13||No longer supported. Upgrade to 14.6.2 or newer version|
|Vaadin 14.0.0 - 14.6.1||Upgrade to 14.6.2 or newer 14 version|
|Vaadin 15 - 18||No longer supported. Upgrade to 19.0.9 or newer version|
|Vaadin 19.0.0 - 19.0.8||Upgrade to 19.0.9 or newer 19 version|
Please note that Vaadin versions 11-13 and 15-18 are no longer supported and you should update either to the latest 14 or 19 version respectively.
|Maven coordinates||Vulnerable version||Fixed version|
|com.vaadin:flow-server||1.0.0 - 1.0.14||≥ 1.0.15|
|com.vaadin:flow-server||1.1 - 1.4||N/A|
|com.vaadin:flow-server||2.0.0 - 2.6.1||≥ 2.6.2|
|com.vaadin:flow-server||3.0 - 5.0||N/A|
|com.vaadin:flow-server||6.0.0 - 6.0.9||≥ 6.0.10|
- 2021-06-24: Initial vulnerability report published