Search criteria
1 vulnerability by flow
CVE-2023-25500 (GCVE-0-2023-25500)
Vulnerability from cvelistv5 – Published: 2023-06-22 12:49 – Updated: 2024-12-05 19:59
VLAI
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin |
Affected:
10.0.0 , ≤ 10.0.23
(maven)
Affected: 11.0.0 , ≤ 14.10.1 (maven) Affected: 15.0.0 , ≤ 22.0.8 (maven) Affected: 23.0.0 , ≤ 23.3.13 (maven) Affected: 24.0.0 , ≤ 24.0.6 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.rc2 (maven) |
|
| flow | flow-server |
Affected:
1.0.0 , ≤ 1.0.20
(maven)
Affected: 1.1.0 , ≤ 2.9.2 (maven) Affected: 3.0.0 , ≤ 9.1.1 (maven) Affected: 23.0.0 , ≤ 23.3.12 (maven) Affected: 24.0.0 , ≤ 24.0.8 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.rc3 (maven) |
Date Public
2023-06-22 13:25
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:59:24.082540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:59:30.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.1",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.8",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.13",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc2",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"vendor": "flow",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.9.2",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc3",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-06-22T13:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T13:14:15.174Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25500",
"datePublished": "2023-06-22T12:49:06.603Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:59:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}