Possible information disclosure of class and method names in RPC response
Overview
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
See CWE-1295: Debug Messages Revealing Unnecessary Information
Description
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version | Mitigation |
|---|---|
| Vaadin 10.0.0 - 10.0.23 | Upgrade to 10.0.24 (Vaadin extended maintenance starting from June 26 2023) |
| Vaadin 11.0.0 - 14.10.1 | Upgrade to 14.10.2 or newer |
| Vaadin 15.0.0 - 22.0.28 | Upgrade to 22.1.0 (Available on demand) |
| Vaadin 23.0.0 - 23.3.13 | Upgrade to 23.3.14 or newer |
| Vaadin 24.0.0 - 24.0.6 | Upgrade to 24.0.7 or newer |
| Vaadin 24.1.0.alpha1 - 24.1.0.rc2 |
|
Please note that Vaadin versions 11-13 and 15-22.0 are no longer supported and you should update either to the latest 14, 22.1, 23, 24 version.
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:flow-server | 1.0.0 - 1.0.20 | ≥1.0.21 |
| com.vaadin:flow-server | 1.1.0 - 2.9.2 | ≥2.9.3 |
| com.vaadin:flow-server | 3.0.0 - 9.1.1 | ≥9.1.2 |
| com.vaadin:flow-server | 23.0.0 - 23.3.12 | ≥23.3.13 |
| com.vaadin:flow-server | 24.0.0 - 24.0.8 | ≥24.0.9 |
| com.vaadin:flow-server | 24.1.0.alpha1 - 24.1.0.rc3 | ≥24.1.0 |
References
- https://github.com/vaadin/flow/pull/16935
History
- 2023-06-22: Initial vulnerability report published