Moderate severityNVD Advisory· Published May 24, 2022· Updated Sep 16, 2024
Possible information disclosure inside TreeGrid component with default data provider
CVE-2022-29567
Description
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:vaadinMaven | >= 14.8.5, < 14.8.10 | 14.8.10 |
com.vaadin:vaadinMaven | >= 22.0.6, < 22.0.15 | 22.0.15 |
com.vaadin:vaadinMaven | >= 23.0.0, < 23.0.9 | 23.0.9 |
com.vaadin:vaadin-grid-flowMaven | >= 14.8.5, < 14.8.10 | 14.8.10 |
com.vaadin:vaadin-grid-flowMaven | >= 22.0.6, < 22.0.15 | 22.0.15 |
com.vaadin:vaadin-grid-flowMaven | >= 23.0.0.beta2, < 23.0.9 | 23.0.9 |
Affected products
2- Vaadin/vaadin-grid-flowv5Range: 14.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qfr3-323w-qv27ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29567ghsaADVISORY
- github.com/vaadin/flow-components/pull/3046ghsax_refsource_MISCWEB
- github.com/vaadin/platform/security/advisories/GHSA-qfr3-323w-qv27ghsaWEB
- vaadin.com/security/cve-2022-29567ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.