PT-2021-12005 · Vaadin · Com.Vaadin:Flow-Server

Published

2021-04-19

Updated

2021-05-05

CVE-2020-36321

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: com.vaadin:flow-server versions 2.0.0 through 2.4.1 com.vaadin:flow-server versions 3.0 prior to 5.0

Description: The issue is related to improper URL validation in the development mode handler, allowing an attacker to request arbitrary files stored outside of the intended frontend resources folder.

Recommendations: For com.vaadin:flow-server versions 2.0.0 through 2.4.1, update to version 2.4.2 or later to resolve the issue. For com.vaadin:flow-server versions 3.0 prior to 5.0, update to version 5.0 or later to resolve the issue. As a temporary workaround, consider disabling the development mode handler until a patch is available.

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-22

Related Identifiers

CVE-2020-36321

GHSA-49R2-73M6-PP8F

GHSA-82MF-MMH7-HXP5

Affected Products

Com.Vaadin:Flow-Server

PT-2021-12005 · Vaadin · Com.Vaadin:Flow-Server

CVE-2020-36321

Weakness Enumeration

Related Identifiers

Affected Products

References · 9