Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
ComboBox and Grid components in Vaadin 8 use com.vaadin.data.provider.DataCommunicator class to retrieve rows of data from the back end data source. Missing check for number of requested rows in DataCommunicator allows authenticated network attackers who have access to the view with affected ComboBox or Grid components to request an arbitrary amount of data. If the underlying dataset is big enough, it may cause heap exhaustion and, therefore, impact service availability. This vulnerability cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: