5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
72.6%
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder. See CWE-20: Improper Input Validation, CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Description When running the webpack development server, it was possible to request files in the file system that are stored outside the intended frontend resources folder. This exposed two attack vectors: A developer running a Vaadin application locally in development mode could expose their file system to an attacker by visiting a malicious website. A developer running a Vaadin application locally in development mode and allowing it to be accessed from outside their own system, would expose their file system to the outside world. The file system would be exposed to an attacker, if: A Vaadin application does not have production mode enabled and is missing webpack-compiled frontend resources, and the Vaadin application is deployed to a system on which it has access to a Node.js installation (or allows the installation of Node.js), and this causes the application startup to install and start the webpack development server on the system. This issue is not present in Vaadin applications running in production mode: it only occurs when developing a Vaadin application and running the webpack development server. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 14.0.0 - 14.4.2 Upgrade to 14.4.3 or newer version Vaadin 15 - 17 No longer supported; Upgrade to 18.0.0 or newer version Please note that Vaadin versions 15-17 are no longer supported and you should update either to the latest 18 version. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 2.0.0 - 2.4.1 ≥ 2.4.2 com.vaadin:flow-server 3.0 - 4.0 N/A References PR: https://github.com/vaadin/flow/pull/9392
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
72.6%