CVE-2020-36321
- Source
- https://cve.org/CVERecord?id=CVE-2020-36321
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36321.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-36321
- Aliases
- Published
- 2021-04-23T16:15:08.403Z
- Modified
- 2026-04-11T13:53:13.327975Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
- References
Affected packages
Git / github.com/vaadin/flow
Affected ranges
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0.alpha1
2.1.0.beta1
2.1.0.beta3
2.2.0.alpha1
2.2.0.alpha10
2.2.0.alpha11
2.2.0.alpha12
2.2.0.alpha13
2.2.0.alpha14
2.2.0.alpha15
2.2.0.alpha16
2.2.0.alpha2
2.2.0.alpha3
2.2.0.alpha4
2.2.0.alpha5
2.2.0.alpha6
2.2.0.alpha7
2.2.0.alpha8
2.2.0.alpha9
2.2.0.beta1
2.2.0.beta2
2.2.0.rc1
2.2.alpha14
2.3.0
2.3.0.alpha1
2.3.0.beta1
2.3.0.beta2
2.3.0.beta3
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.0.alpha1
2.4.0.beta1
2.4.0.beta2
2.4.1
3.*
3.0.0.alpha17
3.0.0.alpha5
3.0.0.beta1
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.2.0.alpha1
3.2.0.alpha2
3.2.0.alpha3
3.2.0.alpha4
3.2.0.alpha5
3.2.0.alpha6
3.2.0.alpha7
4.*
4.0.0.alpha1
4.0.0.alpha2
4.0.0.alpha3
4.0.0.beta1
5.*
5.0.0.alpha1
5.0.0.beta1
5.0.0.rc1
v14.*
v14.0.0
v14.0.1
v14.0.2
v14.1.0
v14.1.0-alpha1
v14.1.0-alpha2
v14.1.0-alpha3
v14.1.0-alpha4
v14.1.0-alpha5
v14.1.0-beta1
v14.1.0-beta2
v14.1.0-beta3
v14.1.0-rc1
v14.1.1
v14.1.2
v14.2.0
v14.2.0-alpha1
v14.2.0-alpha10
v14.2.0-alpha11
v14.2.0-alpha2
v14.2.0-alpha3
v14.2.0-alpha4
v14.2.0-alpha5
v14.2.0-alpha6
v14.2.0-alpha7
v14.2.0-alpha8
v14.2.0-alpha9
v14.2.0-beta1
v14.2.0-rc1
v14.3.0
v14.3.0-alpha1
v14.3.0-beta1
v14.3.0-beta2
v14.3.0-beta3
v14.3.0-rc1
v14.4.0
v14.4.0-alpha1
v14.4.0-beta1
v14.4.0-beta2
v14.4.0-rc1
v14.4.1
v14.4.2
v15.*
v15.0.0-alpha1
v15.0.0-alpha10
v15.0.0-alpha11
v15.0.0-alpha12
v15.0.0-alpha13
v15.0.0-alpha14
v15.0.0-alpha15
v15.0.0-alpha2
v15.0.0-alpha3
v15.0.0-alpha4
v15.0.0-alpha5
v15.0.0-alpha6
v15.0.0-alpha7
v15.0.0-alpha8
v15.0.0-alpha9
v15.0.0-beta1
v15.0.0-beta2
v15.0.0-beta3
v15.0.0-beta4
v15.0.0-beta5
v15.0.0-rc1
v16.*
v16.0.0-alpha1
v16.0.0-alpha2
v16.0.0-alpha3
v17.*
v17.0.0
v17.0.0-alpha1
v17.0.0-alpha2
v17.0.0-alpha3
v17.0.0-alpha4
v17.0.0-alpha5
v17.0.0-alpha6
v17.0.0-alpha7
v17.0.0-beta1
v17.0.0-beta2
v17.0.0-beta3
v17.0.0-rc1
v17.0.0-rc2
v18.*
v18.0.0-alpha1
v18.0.0-beta1
v18.0.0-beta2
v18.0.0-beta3
v18.0.0-rc1
v18.0.0-rc2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36321.json"
vanir_signatures_modified
"2026-04-11T13:53:13Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"function_hash": "249622570144799160707345132873329528777",
"length": 1300.0
},
"id": "CVE-2020-36321-0d26ca84",
"deprecated": false,
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java",
"function": "assertMultipartResponse"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"threshold": 0.9,
"line_hashes": [
"153177363219435303937481346278910453140",
"181422030205452905305290291040049227309",
"33971829593394412345599048598093718036",
"275041624494612527645552893294291103394",
"86469247458738357383103507442104737069",
"25922342559461617944053885903640254293",
"232339524840583842812333248918319678667"
]
},
"id": "CVE-2020-36321-417a7d8e",
"deprecated": false,
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"threshold": 0.9,
"line_hashes": [
"43520808278726046006432504985646778166",
"296123810924565338498643766530874911587",
"221259991966709583237594580063444196171",
"108437677596457758235630426291300831986",
"317700053554754753249584371690674619316",
"161853292399189728664655237763082637062",
"27953669406768766753844549422154923759",
"271721621782024497285018147912205502689",
"97433726130074578806977607204725840712",
"153742533932158225961900960708720470033",
"275096766594378320841425464416028224121",
"106015272132669031337108147864651992326",
"172585572563459339251084935163900343552",
"118576641918442202000303694882491631629",
"159566678862912923854403932800634387798",
"250832752003912735365863795960963851311",
"95251104644391592641027354560185502492",
"285848104943858832560397642457555650382",
"315036448805680584430042212921432466215",
"255473002469754674093051837237214340125",
"230235063635031316715263929865930818925",
"322837197650918553560479406135892037458",
"74990952378373315520732252202114369521",
"315036448805680584430042212921432466215",
"80656763328939012405066971435088009862",
"184993245847957223953294561761420966511",
"27613114131117876128238304830026711186",
"310898117397158724705314868744425276684",
"211579530431730291031803728089338761891",
"155912885843459940685605779617059510580",
"99375202491282114146738158083936559773"
]
},
"id": "CVE-2020-36321-a61406d4",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"function_hash": "299806186407132363208599384657169049253",
"length": 1587.0
},
"id": "CVE-2020-36321-e6f3accf",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java",
"function": "writeRangeContents"
}
}
]