mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
165 lines
6.9 KiB
JSON
165 lines
6.9 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@vaadin.com",
|
|
"DATE_PUBLIC": "2022-05-24T10:44:00.000Z",
|
|
"ID": "CVE-2022-29567",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Possible information disclosure inside TreeGrid component with default data provider"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "vaadin",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "14.8.5"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "14.8.9"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "22.0.6"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "22.0.14"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "23.0.0.beta2"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "23.0.8"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "23.1.0.alpha1"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "23.1.0.alpha4"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "vaadin-grid-flow",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "14.8.5"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "14.8.9"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "22.0.6"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "22.0.14"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "23.0.0.beta2"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "23.0.8"
|
|
},
|
|
{
|
|
"version_affected": ">=",
|
|
"version_value": "23.1.0.alpha1"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_value": "23.1.0.alpha4"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "Vaadin"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.7,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "NONE",
|
|
"privilegesRequired": "LOW",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "REQUIRED",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-200 Information Exposure"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://vaadin.com/security/cve-2022-29567",
|
|
"name": "https://vaadin.com/security/cve-2022-29567"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://github.com/vaadin/flow-components/pull/3046",
|
|
"name": "https://github.com/vaadin/flow-components/pull/3046"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"discovery": "EXTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "User might define either: custom `toString()` or `getId()` in their entity."
|
|
}
|
|
]
|
|
} |