CVE-2022-29567

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
VaadinCNA
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
vaadinvaadin
14.8.5 ≤
𝑥
≤ 14.8.9
vaadinvaadin
22.0.6 ≤
𝑥
≤ 22.0.15
vaadinvaadin
23.0.1 ≤
𝑥
≤ 23.0.8
vaadinvaadin
23.0.0
vaadinvaadin
23.0.0:beta2
vaadinvaadin
23.0.0:beta3
vaadinvaadin
23.0.0:beta4
vaadinvaadin
23.0.0:rc1
vaadinvaadin
23.1.0:alpha1
vaadinvaadin
23.1.0:alpha2
vaadinvaadin
23.1.0:alpha3
vaadinvaadin
23.1.0:alpha4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vaadin/flow-components/pull/3046
https://vaadin.com/security/cve-2022-29567
https://github.com/vaadin/flow-components/pull/3046
https://vaadin.com/security/cve-2022-29567