CVE-2020-36321

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-36321

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36321.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-36321

Aliases

GHSA-49r2-73m6-pp8f

Published

2021-04-23T16:15:08Z

Modified

2024-09-03T03:30:35.058373Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type: GIT
Repo: https://github.com/vaadin/flow
Events: Introduced

8e306579f157678c3baa3f3f63f406d073668161

Fixed

4623398d1c6817fb6e7e7ae8d05f54cede9c45ee

Type: GIT
Repo: https://github.com/vaadin/platform
Events: Introduced

1497812ad40b7ff90bef8bdb28808afc8d7194d1

Fixed

f052a3723576ff39af54d475c25a328e0547b34b

Type: GIT
Repo: https://github.com/vaadin/vaadin
Events: Introduced

ca9cf99092245a31a84b317adf1d79a397970d27

Fixed

e9b8eba22d382c574a5a7a11a68afd09e7eaa39d

Affected versions

14.*

14.0.0

14.0.1

14.0.2

14.1.0

14.1.0.alpha1

14.1.0.alpha3

14.1.0.beta1

14.1.0.beta2

14.1.1

14.1.2

14.2.0

14.2.0.alpha1

14.2.0.alpha10

14.2.0.alpha11

14.2.0.alpha2

14.2.0.alpha3

14.2.0.alpha4

14.2.0.alpha5

14.2.0.alpha6

14.2.0.alpha7

14.2.0.alpha8

14.2.0.alpha9

14.2.0.beta1

14.2.0.rc1

14.3.0

14.3.0.alpha1

14.3.0.beta1

14.3.0.beta2

14.3.0.beta3

14.3.0.rc1

14.4.0

14.4.0.alpha1

14.4.0.beta1

14.4.0.beta2

14.4.0.rc1

14.4.1

14.4.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0.alpha1

2.1.0.beta1

2.1.0.beta3

2.2.0

2.2.0.alpha1

2.2.0.alpha10

2.2.0.alpha11

2.2.0.alpha12

2.2.0.alpha13

2.2.0.alpha14

2.2.0.alpha15

2.2.0.alpha16

2.2.0.alpha2

2.2.0.alpha3

2.2.0.alpha4

2.2.0.alpha5

2.2.0.alpha6

2.2.0.alpha7

2.2.0.alpha8

2.2.0.alpha9

2.2.0.beta1

2.2.0.beta2

2.2.0.rc1

2.2.1

2.2.2

2.2.alpha14

2.3.0

2.3.0.alpha1

2.3.0.beta1

2.3.0.beta2

2.3.0.beta3

2.3.1

2.3.2

2.3.3

2.3.4

2.4.0

2.4.0.alpha1

2.4.0.beta1

2.4.0.beta2

2.4.1

3.*

3.0.0.alpha5

v14.*

v14.0.0

v14.0.1

v14.0.2

v14.1.0

v14.1.0-alpha1

v14.1.0-alpha2

v14.1.0-alpha3

v14.1.0-alpha4

v14.1.0-alpha5

v14.1.0-beta1

v14.1.0-beta2

v14.1.0-beta3

v14.1.0-rc1

v14.1.1

v14.1.2

v14.2.0

v14.2.0-alpha1

v14.2.0-alpha10

v14.2.0-alpha11

v14.2.0-alpha2

v14.2.0-alpha3

v14.2.0-alpha4

v14.2.0-alpha5

v14.2.0-alpha6

v14.2.0-alpha7

v14.2.0-alpha8

v14.2.0-alpha9

v14.2.0-beta1

v14.2.0-rc1

v14.3.0

v14.3.0-alpha1

v14.3.0-beta1

v14.3.0-beta2

v14.3.0-beta3

v14.3.0-rc1

v14.4.0

v14.4.0-alpha1

v14.4.0-beta1

v14.4.0-beta2

v14.4.0-rc1

v14.4.1

v14.4.2