CVE-2023-25499

Summary

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

Affected Software

VendorProductVersion RangeStatus
vaadinvaadin10.0.0 <= 10.0.22affected
vaadinvaadin11.0.0 <= 14.10.0affected
vaadinvaadin15.0.0 <= 22.0.28affected
vaadinvaadin23.0.0 <= 23.3.12affected
vaadinvaadin24.0.0 <= 24.0.5affected
vaadinvaadin24.1.0.alpha1 <= 24.1.0.beta1affected
vaadinflow-server1.0.0 <= 24.0.0.beta1affected
vaadinflow-server1.1.0 <= 2.8.9affected
vaadinflow-server3.3.0 <= 9.1.0affected
vaadinflow-server23.0.0 <= 23.3.10affected
vaadinflow-server24.0.0 <= 24.0.7affected
vaadinflow-server24.1.0.alpha1 <= 24.1.0.beta1affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References