CVE-2023-25500

Summary

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Affected Software

VendorProductVersion RangeStatus
vaadinvaadin10.0.0 <= 10.0.23affected
vaadinvaadin11.0.0 <= 14.10.1affected
vaadinvaadin15.0.0 <= 22.0.8affected
vaadinvaadin23.0.0 <= 23.3.13affected
vaadinvaadin24.0.0 <= 24.0.6affected
vaadinvaadin24.1.0.alpha1 <= 24.1.0.rc2affected
flowflow-server1.0.0 <= 1.0.20affected
flowflow-server1.1.0 <= 2.9.2affected
flowflow-server3.0.0 <= 9.1.1affected
flowflow-server23.0.0 <= 23.3.12affected
flowflow-server24.0.0 <= 24.0.8affected
flowflow-server24.1.0.alpha1 <= 24.1.0.rc3affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References