Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgybWYtbW1oNy1oeHA1
Directory traversal in development mode handler in Vaadin 14 and 15-17
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgybWYtbW1oNy1oeHA1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-82mf-mmh7-hxp5
References:
- https://github.com/vaadin/platform/security/advisories/GHSA-82mf-mmh7-hxp5
- https://vaadin.com/security/cve-2020-36321
- https://github.com/advisories/GHSA-82mf-mmh7-hxp5
Blast Radius: 21.5
Affected Packages
maven:com.vaadin:vaadin-bom
Dependent packages: 166Dependent repositories: 4,379
Downloads:
Affected Version Ranges: >= 15.0.0, < 18.0.0, >= 14.0.0, < 14.4.3
Fixed in: 18.0.0, 14.4.3
All affected versions: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.0.7, 14.0.8, 14.0.9, 14.0.10, 14.0.11, 14.0.12, 14.0.13, 14.0.14, 14.0.15, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.1.5, 14.1.16, 14.1.17, 14.1.18, 14.1.19, 14.1.20, 14.1.21, 14.1.22, 14.1.23, 14.1.24, 14.1.25, 14.1.26, 14.1.27, 14.1.28, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.3.0, 14.3.1, 14.3.2, 14.3.3, 14.3.4, 14.3.5, 14.3.6, 14.3.7, 14.3.8, 14.3.9, 14.4.0, 14.4.1, 14.4.2, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 17.0.0, 17.0.1, 17.0.2, 17.0.3, 17.0.4, 17.0.6, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.0.11
All unaffected versions: 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.7.6, 7.7.7, 7.7.8, 7.7.9, 7.7.10, 7.7.11, 7.7.12, 7.7.13, 7.7.14, 7.7.15, 7.7.16, 7.7.17, 7.7.23, 7.7.24, 7.7.25, 7.7.26, 7.7.27, 7.7.28, 7.7.29, 7.7.30, 7.7.31, 7.7.32, 7.7.33, 7.7.34, 7.7.35, 7.7.36, 7.7.37, 7.7.38, 7.7.39, 7.7.40, 7.7.41, 7.7.42, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.7.0, 8.7.1, 8.7.2, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.9.4, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.10.4, 8.10.5, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.13.0, 8.13.1, 8.13.2, 8.13.3, 8.14.0, 8.14.1, 8.14.2, 8.14.3, 8.15.0, 8.15.1, 8.15.2, 8.16.0, 8.16.1, 8.17.0, 8.18.0, 8.19.0, 8.20.0, 8.20.1, 8.20.2, 8.20.3, 8.21.0, 8.22.0, 8.23.0, 8.24.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 10.0.21, 10.0.22, 10.0.23, 10.0.24, 10.0.25, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.11, 13.0.12, 13.0.13, 14.4.3, 14.4.4, 14.4.5, 14.4.6, 14.4.7, 14.4.8, 14.4.9, 14.4.10, 14.5.0, 14.5.1, 14.5.2, 14.5.3, 14.5.4, 14.5.5, 14.6.0, 14.6.1, 14.6.2, 14.6.3, 14.6.4, 14.6.5, 14.6.6, 14.6.7, 14.6.8, 14.6.9, 14.7.0, 14.7.1, 14.7.2, 14.7.3, 14.7.4, 14.7.5, 14.7.6, 14.7.7, 14.7.8, 14.8.0, 14.8.1, 14.8.2, 14.8.3, 14.8.4, 14.8.5, 14.8.6, 14.8.7, 14.8.8, 14.8.9, 14.8.10, 14.8.11, 14.8.12, 14.8.13, 14.8.14, 14.8.15, 14.8.16, 14.8.17, 14.8.18, 14.8.19, 14.8.20, 14.9.0, 14.9.1, 14.9.2, 14.9.3, 14.9.4, 14.9.5, 14.9.6, 14.9.7, 14.9.8, 14.10.0, 14.10.1, 14.10.2, 14.10.3, 14.10.4, 14.10.5, 14.10.6, 14.10.7, 14.10.8, 14.10.9, 14.10.10, 14.10.11, 14.10.12, 14.11.0, 14.11.1, 14.11.2, 14.11.3, 14.11.4, 14.11.5, 14.11.6, 18.0.0, 18.0.1, 18.0.2, 18.0.3, 18.0.4, 18.0.5, 18.0.6, 18.0.7, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 19.0.5, 19.0.6, 19.0.7, 19.0.8, 19.0.9, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 21.0.0, 21.0.1, 21.0.2, 21.0.3, 21.0.4, 21.0.5, 21.0.6, 21.0.7, 21.0.8, 21.0.9, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 22.0.6, 22.0.7, 22.0.8, 22.0.9, 22.0.10, 22.0.11, 22.0.12, 22.0.13, 22.0.14, 22.0.15, 22.0.16, 22.0.17, 22.0.18, 22.0.20, 22.0.21, 22.0.22, 22.0.23, 22.0.24, 22.0.25, 22.0.26, 22.0.27, 22.0.28, 22.1.0, 22.1.1, 22.1.2, 22.1.3, 22.1.4, 22.1.5, 22.1.6, 22.2.0, 22.2.1, 22.2.2, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 23.0.8, 23.0.9, 23.0.10, 23.0.11, 23.0.12, 23.0.13, 23.0.14, 23.0.15, 23.0.16, 23.1.0, 23.1.1, 23.1.2, 23.1.3, 23.1.4, 23.1.6, 23.1.7, 23.1.8, 23.1.9, 23.1.10, 23.1.11, 23.1.12, 23.1.13, 23.1.14, 23.1.15, 23.1.16, 23.1.17, 23.2.0, 23.2.1, 23.2.2, 23.2.3, 23.2.4, 23.2.5, 23.2.6, 23.2.7, 23.2.8, 23.2.9, 23.2.10, 23.2.11, 23.2.12, 23.2.13, 23.2.14, 23.2.15, 23.2.16, 23.2.17, 23.3.0, 23.3.1, 23.3.2, 23.3.3, 23.3.4, 23.3.5, 23.3.6, 23.3.7, 23.3.8, 23.3.9, 23.3.10, 23.3.11, 23.3.12, 23.3.13, 23.3.14, 23.3.15, 23.3.16, 23.3.17, 23.3.18, 23.3.19, 23.3.20, 23.3.21, 23.3.22, 23.3.23, 23.3.24, 23.3.25, 23.3.26, 23.3.27, 23.3.28, 23.3.29, 23.3.30, 23.3.31, 23.3.32, 23.3.33, 23.4.0, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.0.4, 24.0.5, 24.0.6, 24.0.7, 24.0.8, 24.0.9, 24.0.10, 24.0.11, 24.0.12, 24.0.13, 24.0.14, 24.1.0, 24.1.1, 24.1.2, 24.1.3, 24.1.4, 24.1.5, 24.1.6, 24.1.7, 24.1.8, 24.1.9, 24.1.10, 24.1.11, 24.1.12, 24.1.13, 24.1.14, 24.1.15, 24.1.16, 24.2.0, 24.2.1, 24.2.2, 24.2.3, 24.2.4, 24.2.5, 24.2.6, 24.2.7, 24.2.8, 24.2.9, 24.2.10, 24.2.11, 24.2.12, 24.3.0, 24.3.1, 24.3.2, 24.3.3, 24.3.4, 24.3.5, 24.3.6, 24.3.7