Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qfr3-323w-qv27: Possible information disclosure inside TreeGrid component with default data provider

Description

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-29567

Possible information disclosure inside TreeGrid component with default data provider

Moderate severity GitHub Reviewed Published May 25, 2022 in vaadin/platform • Updated May 25, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

maven com.vaadin:vaadin (Maven )

Affected versions

>= 14.8.5, < 14.8.10

>= 22.0.6, < 22.0.15

>= 23.0.0, < 23.0.9

Patched versions

14.8.10

22.0.15

23.0.9

Package

maven com.vaadin:vaadin-grid-flow (Maven )

Affected versions

>= 14.8.5, < 14.8.10

>= 22.0.6, < 22.0.15

>= 23.0.0, < 23.0.9

Patched versions

14.8.10

22.0.15

23.0.9

Description

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Weaknesses

GHSA ID

GHSA-qfr3-323w-qv27

Source code

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

Related news

CVE-2022-29567: CVE-2022-29567: Possible information disclosure inside TreeGrid component with default data provider

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP