Home

CVE-2020-36321

Description

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.551

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-36321 are fixed in Vaadin-flow-server 5.0.0Windows
Vulnerabilities CVE-2020-36321 are fixed in Vaadin-flow-server 2.4.2Windows
Vulnerabilities CVE-2020-36321 are fixed in Vaadin-flow-server for Linux 5.0.0Linux
Vulnerabilities CVE-2020-36321 are fixed in Vaadin-flow-server for Linux 2.4.2Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234