CVE-2020-36321

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/vaadin/flow/pull/9392	Patch Third Party Advisory
https://vaadin.com/security/cve-2020-36321	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::

History

05 May 2021, 17:26

Type	Values Removed	Values Added
References	~~(CONFIRM) https://vaadin.com/security/cve-2020-36321 -~~	(CONFIRM) https://vaadin.com/security/cve-2020-36321 - Vendor Advisory
References	~~(CONFIRM) https://github.com/vaadin/flow/pull/9392 -~~	(CONFIRM) https://github.com/vaadin/flow/pull/9392 - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
CPE		cpe:2.3:a:vaadin:flow:::::::: cpe:2.3:a:vaadin:vaadin::::::::
CWE		CWE-22

23 Apr 2021, 16:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-04-23 16:15

Updated : 2023-12-10 13:55

NVD link : CVE-2020-36321

Mitre link : CVE-2020-36321

CVE.ORG link : CVE-2020-36321

JSON object : View

Products Affected

vaadin

vaadin
flow

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2020-36321", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@vaadin.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2021-04-23T16:15:08.403", "references": [{"url": "https://github.com/vaadin/flow/pull/9392", "tags": ["Patch", "Third Party Advisory"], "source": "security@vaadin.com"}, {"url": "https://vaadin.com/security/cve-2020-36321", "tags": ["Vendor Advisory"], "source": "security@vaadin.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security@vaadin.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}, {"lang": "es", "value": "Una comprobaci\u00f3n incorrecta de URL en el controlador del modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.4.1 (Vaadin versiones 14.0.0 hasta 14.4.2) y versiones 3.0 anteriores a 5.0 (Vaadin versiones 15 anteriores a 18), permiten al atacante pedir archivos arbitrarios almacenados fuera de la carpeta de recursos de la interfaz prevista"}], "lastModified": "2021-05-05T17:26:01.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9F825A6-D1D8-4CA3-8595-1DEE1B99AF50", "versionEndExcluding": "2.4.2", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "796C0FAD-172F-4186-847E-5312F3664734", "versionEndExcluding": "5.0.0", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A09E99C-3093-4D42-A347-15364DB56297", "versionEndExcluding": "14.4.3", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D41F68B2-1AD5-4800-8085-8CE37869946C", "versionEndExcluding": "18.0.0", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vaadin.com"}