Missing check in
DataCommunicator class in
com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
See CWE-400: Uncontrolled Resource Consumption
Grid components in Vaadin 8 use
com.vaadin.data.provider.DataCommunicator class to retrieve rows of data from the back end data source. Missing check for number of requested rows in
DataCommunicator allows authenticated network attackers who have access to the view with affected
Grid components to request an arbitrary amount of data. If the underlying dataset is big enough, it may cause heap exhaustion and, therefore, impact service availability. This vulnerability cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 8.0.0 - 8.14.0
||Upgrade to 8.14.1 or newer 8 version
||8.0.0 - 8.14.0