CVE-2020-36319

Published: Apr 23, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

Affected (2)

Products: Vaadin: Flow, Vaadin

Vaadin

2 products

Flow

Vaadin

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Vaadin Flow	From 3.0.0 to 3.0.6
Vaadin Vaadin	From 15.0.0 to 15.0.5

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-668

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (6)

https://github.com/vaadin/flow/pull/8016

Source: security@vaadin.com

PatchThird Party Advisory

https://github.com/vaadin/flow/pull/8051

Source: security@vaadin.com

PatchThird Party Advisory

https://vaadin.com/security/cve-2020-36319

Source: security@vaadin.com

Vendor Advisory

https://github.com/vaadin/flow/pull/8016

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/vaadin/flow/pull/8051

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://vaadin.com/security/cve-2020-36319

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.