CVE-2023-25500

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
VaadinCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
vaadinvaadin
10.0.0 ≤
𝑥
< 10.0.23
vaadinvaadin
11.0.0 ≤
𝑥
< 14.10.2
vaadinvaadin
15.0.0 ≤
𝑥
≤ 22.0.28
vaadinvaadin
23.0.0 ≤
𝑥
< 23.3.14
vaadinvaadin
24.0.0 ≤
𝑥
< 24.0.7
vaadinvaadin
24.1.0:alpha1
vaadinvaadin
24.1.0:alpha2
vaadinvaadin
24.1.0:alpha3
vaadinvaadin
24.1.0:alpha4
vaadinvaadin
24.1.0:alpha5
vaadinvaadin
24.1.0:alpha6
vaadinvaadin
24.1.0:beta1
vaadinvaadin
24.1.0:beta2
vaadinvaadin
24.1.0:beta3
vaadinvaadin
24.1.0:rc1
vaadinvaadin
24.1.0:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vaadin/flow/pull/16935
https://vaadin.com/security/cve-2023-25500
https://github.com/vaadin/flow/pull/16935
https://vaadin.com/security/cve-2023-25500