CVE-2020-36321

Published: Apr 23, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

Affected (4)

Products: Vaadin: Flow, Vaadin

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vaadin Flow	From 2.0.0 to 2.4.2
Vaadin Flow	From 3.0.0 to 5.0.0
Vaadin Vaadin	From 14.0.0 to 14.4.3
Vaadin Vaadin	From 15.0.0 to 18.0.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://github.com/vaadin/flow/pull/9392

Source: security@vaadin.com

PatchThird Party Advisory

https://vaadin.com/security/cve-2020-36321

Source: security@vaadin.com

Vendor Advisory

https://github.com/vaadin/flow/pull/9392

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://vaadin.com/security/cve-2020-36321

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.