Headline
GHSA-qfr3-323w-qv27: Possible information disclosure inside TreeGrid component with default data provider
Description
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-29567
Possible information disclosure inside TreeGrid component with default data provider
Moderate severity GitHub Reviewed Published May 25, 2022 in vaadin/platform • Updated May 25, 2022
We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.
Package
maven com.vaadin:vaadin (Maven )
Affected versions
>= 14.8.5, < 14.8.10
>= 22.0.6, < 22.0.15
>= 23.0.0, < 23.0.9
Patched versions
14.8.10
22.0.15
23.0.9
Package
maven com.vaadin:vaadin-grid-flow (Maven )
Affected versions
>= 14.8.5, < 14.8.10
>= 22.0.6, < 22.0.15
>= 23.0.0, < 23.0.9
Patched versions
14.8.10
22.0.15
23.0.9
Description
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weaknesses
GHSA ID
GHSA-qfr3-323w-qv27
Source code
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.
Related news
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.