CVE-2022-29567

Published May 24, 2022

Last updated 2 years ago

CVSS high 7.5

Overview

Description: The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
Source: security@vaadin.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-200
security@vaadin.com: CWE-200

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0579A51E-A3E6-4380-A378-55C53EC3768D",
            "versionEndIncluding": "14.8.9",
            "versionStartIncluding": "14.8.5"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3A7479D6-D6DF-4BE2-AD6C-F92DC502C6B3",
            "versionEndIncluding": "22.0.15",
            "versionStartIncluding": "22.0.6"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4C5BD69D-AF05-4A3E-AB1C-B3B3D1721E0E",
            "versionEndIncluding": "23.0.8",
            "versionStartIncluding": "23.0.1"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E4809E3-6B53-484E-BE86-BB554D346C01"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F50971D5-297E-4558-9BE5-AD7378A4215F"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E561C638-33CB-4C1C-9A0B-FC590993C59F"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F992E61E-EC84-44E9-90CE-113EF2B1EB05"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F4382528-7D82-4339-8615-891C93D749C4"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "778333E4-27C5-4EA3-8EF8-48774CE67188"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A84E4454-773E-4735-B5D4-9F2E6537B8B1"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9544B2F5-C913-4ECE-8028-8BFBFD36A2EB"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "312D297B-ACBD-4764-80AD-5AB042DCE01D"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References