GHSA-qfr3-323w-qv27

Source

https://github.com/advisories/GHSA-qfr3-323w-qv27

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qfr3-323w-qv27/GHSA-qfr3-323w-qv27.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qfr3-323w-qv27

Aliases

CVE-2022-29567

Published

2022-05-25T22:40:03Z

Modified

2024-05-15T06:31:57.764298Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Possible information disclosure inside TreeGrid component with default data provider

Details

Description

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

Database specific

{
    "nvd_published_at": "2022-05-24T15:15:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T22:40:03Z"
}

References

Affected packages

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.8.5

Fixed

14.8.10

Affected versions

14.*

14.8.5

14.8.6

14.8.7

14.8.8

14.8.9

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

22.0.6

Fixed

22.0.15

Affected versions

22.*

22.0.6

22.0.7

22.0.8

22.0.9

22.0.10

22.0.11

22.0.12

22.0.13

22.0.14

Maven / com.vaadin:vaadin

Package

Name: com.vaadin:vaadin; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.0.0

Fixed

23.0.9

Affected versions

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

23.0.8

Maven / com.vaadin:vaadin-grid-flow

Package

Name: com.vaadin:vaadin-grid-flow; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-grid-flow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.8.5

Fixed

14.8.10

Affected versions

14.*

14.8.5

14.8.6

14.8.7

14.8.8

14.8.9

Maven / com.vaadin:vaadin-grid-flow

Package

Name: com.vaadin:vaadin-grid-flow; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-grid-flow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

22.0.6

Fixed

22.0.15

Affected versions

22.*

22.0.6

22.0.7

22.0.8

22.0.9

22.0.10

22.0.11

22.0.12

22.0.13

22.0.14

Maven / com.vaadin:vaadin-grid-flow

Package

Name: com.vaadin:vaadin-grid-flow; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-grid-flow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.0.0.beta2

Fixed

23.0.9

Affected versions

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

23.0.8