CVE-2023-25500: Exposure of Sensitive Information to an Unauthorized Actor

June 22, 2023

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

References

github.com/advisories/GHSA-ch48-9r3q-pv7x
github.com/vaadin/flow/pull/16935
github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
nvd.nist.gov/vuln/detail/CVE-2023-25500
vaadin.com/security/cve-2023-25500

Code Behaviors & Features

Detect and mitigate CVE-2023-25500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →