CVE-2020-36321 - Vulnerability Details - OpenCVE

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00551.

Key SSVC decision points have not yet been added.

Vendors	Products
Vaadin	Flow Vaadin

Configuration 1 [-]

OR	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0753	Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
Github GHSA	GHSA-49r2-73m6-pp8f	Directory traversal in development mode handler in Vaadin 14 and 15-17

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/vaadin/flow/pull/9392
https://vaadin.com/security/cve-2020-36321

History

No history.

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2021-04-23T16:05:40.889444Z

Updated: 2024-09-17T00:45:59.853Z

Reserved: 2021-04-13T00:00:00

Link: CVE-2020-36321

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-23T16:15:08.403

Modified: 2024-11-21T05:29:16.367

Link: CVE-2020-36321

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"changes": [{"at": "15.0.0", "status": "affected"}, {"at": "18.0.0", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "14.0.0", "versionType": "custom"}]}, {"product": "flow-server", "vendor": "Vaadin", "versions": [{"changes": [{"at": "3.0.0", "status": "affected"}, {"at": "5.0.0", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}], "datePublic": "2020-11-26T00:00:00", "descriptions": [{"lang": "en", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-23T16:05:40", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vaadin/flow/pull/9392"}], "source": {"discovery": "INTERNAL"}, "title": "Directory traversal in development mode handler in Vaadin 14 and 15-17", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2020-11-26T09:17:00.000Z", "ID": "CVE-2020-36321", "STATE": "PUBLIC", "TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "14.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "14.4.2 +1"}, {"platform": "", "version_affected": ">=", "version_name": "", "version_value": "15.0.0"}, {"platform": "", "version_affected": "<", "version_name": "", "version_value": "18.0.0"}]}}, {"product_name": "flow-server", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "2.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "2.4.1 +1"}, {"platform": "", "version_affected": ">=", "version_name": "", "version_value": "3.0.0"}, {"platform": "", "version_affected": "<", "version_name": "", "version_value": "5.0.0"}]}}]}, "vendor_name": "Vaadin"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2020-36321", "refsource": "MISC", "url": "https://vaadin.com/security/cve-2020-36321"}, {"name": "https://github.com/vaadin/flow/pull/9392", "refsource": "MISC", "url": "https://github.com/vaadin/flow/pull/9392"}]}, "solution": [], "source": {"advisory": "", "defect": [], "discovery": "INTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:23:10.431Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vaadin/flow/pull/9392"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2020-36321", "datePublished": "2021-04-23T16:05:40.889444Z", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2024-09-17T00:45:59.853Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9F825A6-D1D8-4CA3-8595-1DEE1B99AF50", "versionEndExcluding": "2.4.2", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "796C0FAD-172F-4186-847E-5312F3664734", "versionEndExcluding": "5.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A09E99C-3093-4D42-A347-15364DB56297", "versionEndExcluding": "14.4.3", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "D41F68B2-1AD5-4800-8085-8CE37869946C", "versionEndExcluding": "18.0.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}, {"lang": "es", "value": "Una comprobaci\u00f3n incorrecta de URL en el controlador del modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.4.1 (Vaadin versiones 14.0.0 hasta 14.4.2) y versiones 3.0 anteriores a 5.0 (Vaadin versiones 15 anteriores a 18), permiten al atacante pedir archivos arbitrarios almacenados fuera de la carpeta de recursos de la interfaz prevista"}], "id": "CVE-2020-36321", "lastModified": "2024-11-21T05:29:16.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-23T16:15:08.403", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/9392"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/9392"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2020-36321"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}