GHSA-5f9v-mv5g-jh5q

Source

https://github.com/advisories/GHSA-5f9v-mv5g-jh5q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-5f9v-mv5g-jh5q/GHSA-5f9v-mv5g-jh5q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5f9v-mv5g-jh5q

Aliases

CVE-2023-25499

Published

2023-06-22T20:01:11Z

Modified

2024-02-16T08:18:51.575461Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Vaadin vulnerable to possible information disclosure in non visible components.

Details

Description

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

https://vaadin.com/security/cve-2023-25499

Database specific

{
    "nvd_published_at": "2023-06-22T13:15:09Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-201"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T20:01:11Z"
}

References

Affected packages

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.0.23

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.0.12

10.0.13

10.0.14

10.0.15

10.0.16

10.0.17

10.0.18

10.0.19

10.0.20

10.0.21

10.0.22

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

14.10.1

Affected versions

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

12.0.5

12.0.6

12.0.7

13.*

13.0.0

13.0.1

13.0.2

13.0.3

13.0.4

13.0.5

13.0.6

13.0.7

13.0.8

13.0.9

13.0.10

13.0.11

13.0.12

13.0.13

14.*

14.0.0

14.0.1

14.0.2

14.0.3

14.0.4

14.0.5

14.0.6

14.0.7

14.0.8

14.0.9

14.0.10

14.0.11

14.0.12

14.0.13

14.0.14

14.0.15

14.1.0

14.1.1

14.1.2

14.1.3

14.1.4

14.1.5

14.1.16

14.1.17

14.1.18

14.1.19

14.1.20

14.1.21

14.1.22

14.1.23

14.1.24

14.1.25

14.1.26

14.1.27

14.1.28

14.2.0

14.2.1

14.2.2

14.2.3

14.3.0

14.3.1

14.3.2

14.3.3

14.3.4

14.3.5

14.3.6

14.3.7

14.3.8

14.3.9

14.4.0

14.4.1

14.4.2

14.4.3

14.4.4

14.4.5

14.4.6

14.4.7

14.4.8

14.4.9

14.4.10

14.5.0

14.5.1

14.5.2

14.5.3

14.5.4

14.5.5

14.6.0

14.6.1

14.6.2

14.6.3

14.6.4

14.6.5

14.6.6

14.6.7

14.6.8

14.6.9

14.7.0

14.7.1

14.7.2

14.7.3

14.7.4

14.7.5

14.7.6

14.7.7

14.7.8

14.8.0

14.8.1

14.8.2

14.8.3

14.8.4

14.8.5

14.8.6

14.8.7

14.8.8

14.8.9

14.8.10

14.8.11

14.8.12

14.8.13

14.8.14

14.8.15

14.8.16

14.8.17

14.8.18

14.8.19

14.8.20

14.9.0

14.9.1

14.9.2

14.9.3

14.9.4

14.9.5

14.9.6

14.9.7

14.9.8

14.10.0

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.0.0

Fixed

23.3.13

Affected versions

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

23.0.8

23.0.9

23.0.10

23.0.11

23.0.12

23.0.13

23.0.14

23.0.15

23.0.16

23.1.0

23.1.1

23.1.2

23.1.3

23.1.4

23.1.6

23.1.7

23.1.8

23.1.9

23.1.10

23.1.11

23.1.12

23.1.13

23.1.14

23.1.15

23.1.16

23.1.17

23.2.0

23.2.1

23.2.2

23.2.3

23.2.4

23.2.5

23.2.6

23.2.7

23.2.8

23.2.9

23.2.10

23.2.11

23.2.12

23.2.13

23.2.14

23.2.15

23.2.16

23.2.17

23.3.0

23.3.1

23.3.2

23.3.3

23.3.4

23.3.5

23.3.6

23.3.7

23.3.8

23.3.9

23.3.10

23.3.11

23.3.12

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

24.0.0

Fixed

24.0.6

Affected versions

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

24.1.0.alpha1

Fixed

24.1.0

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.20

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

2.8.10

Affected versions

1.*

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.1.0.beta2

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0.alpha11

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0.beta1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

2.7.19

2.7.20

2.7.21

2.7.22

2.7.23

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

9.1.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1.0

3.1.1

3.1.2

3.1.3

3.1.5

3.1.6

3.1.7

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.0.10

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.0.9

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

9.*

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.9

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.15

9.0.16

9.0.17

9.0.18

9.0.19

9.0.20

9.0.21

9.0.22

9.0.23

9.0.24

9.0.25

9.0.26

9.1.0

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.0.0

Fixed

23.3.11

Affected versions

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

23.0.8

23.0.9

23.0.10

23.0.11

23.0.12

23.0.13

23.0.14

23.1.0

23.1.1

23.1.2

23.1.3

23.1.4

23.1.5

23.1.6

23.1.7

23.1.8

23.1.9

23.1.10

23.1.11

23.1.12

23.2.0

23.2.1

23.2.2

23.2.3

23.2.4

23.2.5

23.2.6

23.2.7

23.2.8

23.2.9

23.2.10

23.2.11

23.3.0

23.3.1

23.3.2

23.3.3

23.3.4

23.3.5

23.3.6

23.3.7

23.3.8

23.3.9

23.3.10

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

24.0.0

Fixed

24.0.8

Affected versions

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

24.0.6

24.0.7

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

24.1.0.alpha1

Fixed

24.1.0