CVE-2023-25500 – com.vaadin:flow-server

Package

Manager: maven
Name: com.vaadin:flow-server
Vulnerable Version: >=1.0.0 <1.0.21 || >=1.1.0 <2.9.3 || >=3.0.0 <9.1.2 || >=23.0.0 <23.3.13 || >=24.0.0 <24.0.9 || >=24.1.alpha1 <24.1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00229 pctl0.45587

Details

Vaadin vulnerable to possible information disclosure of class and method names in RPC response ### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500

Metadata

Created: 2023-06-22T20:01:03Z
Modified: 2023-06-22T20:01:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-ch48-9r3q-pv7x/GHSA-ch48-9r3q-pv7x.json
CWE IDs: ["CWE-1295", "CWE-200"]
Alternative ID: GHSA-ch48-9r3q-pv7x
Finding: F038
Auto approve: 1