All vulnerability reports

Denial of service in DataCommunicator class in Vaadin 8

Severity:
Medium (Base score 4.3) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVE entry:
CVE-2021-33609

Overview

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

See CWE-400: Uncontrolled Resource Consumption

Description

ComboBox and Grid components in Vaadin 8 use com.vaadin.data.provider.DataCommunicator class to retrieve rows of data from the back end data source. Missing check for number of requested rows in DataCommunicator allows authenticated network attackers who have access to the view with affected ComboBox or Grid components to request an arbitrary amount of data. If the underlying dataset is big enough, it may cause heap exhaustion and, therefore, impact service availability. This vulnerability cannot not cause execution of untrusted code or disclosure of sensitive information.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 8.0.0 - 8.14.0 Upgrade to 8.14.1 or newer 8 version

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-server 8.0.0 - 8.14.0 ≥ 8.14.1

References

History

  • 2021-10-13: Initial vulnerability report published