Potential sensitive data exposure in applications using Vaadin 15

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Description The affected versions of Vaadin modify the default ObjectMapper bean in Spring to also expose private and protected properties. This can cause accidental exposure of sensitive data if the application also uses e.g. @RestController. Vaadin 15.0.5 fixes the problem by only modifying a separate ObjectMapper instance that isn’t shared with other Spring functionality. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 15.0.0 - 15.0.4 Upgrade to 15.0.5 or newer version Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 3.0.0 - 3.0.5 ≥ 3.0.6 Credit This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie). References PR: https://github.com/vaadin/flow/pull/8016 PR: https://github.com/vaadin/flow/pull/8051