PT-2022-19702 · Vaadin · Vaadin
Christian Knoop
+1
·
Published
2022-05-24
·
Updated
2022-06-07
·
CVE-2022-29567
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Vaadin versions 14.8.5 through 14.8.9
Vaadin versions 22.0.6 through 22.0.14
Vaadin versions 23.0.0.beta2 through 23.0.8
Vaadin versions 23.1.0.alpha1 through 23.1.0.alpha4
Description
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin, resulting in potential information disclosure of values that should not be available on the client-side.
Recommendations
For Vaadin versions 14.8.5 through 14.8.9, update the configuration to avoid using Object::toString as a key.
For Vaadin versions 22.0.6 through 22.0.14, update the configuration to avoid using Object::toString as a key.
For Vaadin versions 23.0.0.beta2 through 23.0.8, update the configuration to avoid using Object::toString as a key.
For Vaadin versions 23.1.0.alpha1 through 23.1.0.alpha4, update the configuration to avoid using Object::toString as a key.
As a temporary workaround, consider disabling the TreeGrid component until a proper configuration can be implemented.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vaadin