github - ghsa-5f9v-mv5g-jh5q

GHSA-5F9V-MV5G-JH5Q

Vulnerability from github – Published: 2023-06-22 20:01 – Updated: 2023-06-22 20:01

Summary

Vaadin vulnerable to possible information disclosure in non visible components.

Details

Description

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

https://vaadin.com/security/cve-2023-25499

Severity ?

5.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.3.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.1.0.alpha1"
            },
            {
              "fixed": "24.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "2.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "9.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.1.0.alpha1"
            },
            {
              "fixed": "24.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T20:01:11Z",
    "nvd_published_at": "2023-06-22T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nWhen adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n* https://vaadin.com/security/cve-2023-25499",
  "id": "GHSA-5f9v-mv5g-jh5q",
  "modified": "2023-06-22T20:01:11Z",
  "published": "2023-06-22T20:01:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/15885"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/platform"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/CVE-2023-25499"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaadin vulnerable to possible information disclosure in non visible components."
}

CVE-2023-25499 (GCVE-0-2023-25499)

Vulnerability from cvelistv5 – Published: 2023-06-22 12:47 – Updated: 2024-12-05 19:58

Summary

Severity ?

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

Vaadin

References

URL

Tags

	https://vaadin.com/security/CVE-2023-25499
	https://github.com/vaadin/flow/pull/15885

Impacted products

Vendor

Product

Version

vaadin

Affected: 10.0.0 , ≤ 10.0.22 (maven)
Affected: 11.0.0 , ≤ 14.10.0 (maven)
Affected: 15.0.0 , ≤ 22.0.28 (maven)
Affected: 23.0.0 , ≤ 23.3.12 (maven)
Affected: 24.0.0 , ≤ 24.0.5 (maven)
Affected: 24.1.0.alpha1 , ≤ 24.1.0.beta1 (maven)

vaadin

flow-server

Affected: 1.0.0 , ≤ 24.0.0.beta1 (maven)
Affected: 1.1.0 , ≤ 2.8.9 (maven)
Affected: 3.3.0 , ≤ 9.1.0 (maven)
Affected: 23.0.0 , ≤ 23.3.10 (maven)
Affected: 24.0.0 , ≤ 24.0.7 (maven)
Affected: 24.1.0.alpha1 , ≤ 24.1.0.beta1 (maven)

Credits

Kim Leppänen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:25:18.642Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vaadin.com/security/CVE-2023-25499"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/vaadin/flow/pull/15885"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25499",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-05T19:58:40.795727Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-05T19:58:49.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "vaadin",
          "repo": "https://github.com/vaadin/platform",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "10.0.22",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "14.10.0",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "22.0.28",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.3.12",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.0.5",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.1.0.beta1",
              "status": "affected",
              "version": "24.1.0.alpha1",
              "versionType": "maven"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "flow-server",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "24.0.0.beta1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "2.8.9",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "9.1.0",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.3.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.0.7",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.1.0.beta1",
              "status": "affected",
              "version": "24.1.0.alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Kim Lepp\u00e4nen"
        }
      ],
      "datePublic": "2023-06-21T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-22T12:47:57.760Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/CVE-2023-25499"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/15885"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Possible information disclosure in non visible components",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2023-25499",
    "datePublished": "2023-06-22T12:47:57.760Z",
    "dateReserved": "2023-02-06T20:44:44.569Z",
    "dateUpdated": "2024-12-05T19:58:49.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted