CVE-2022-29567

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
References
Link Resource
https://github.com/vaadin/flow-components/pull/3046 Issue Tracking Patch Third Party Advisory
https://vaadin.com/security/cve-2022-29567 Issue Tracking Vendor Advisory
https://github.com/vaadin/flow-components/pull/3046 Issue Tracking Patch Third Party Advisory
https://vaadin.com/security/cve-2022-29567 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*

History

21 Nov 2024, 06:59

Type Values Removed Values Added
References () https://github.com/vaadin/flow-components/pull/3046 - Issue Tracking, Patch, Third Party Advisory () https://github.com/vaadin/flow-components/pull/3046 - Issue Tracking, Patch, Third Party Advisory
References () https://vaadin.com/security/cve-2022-29567 - Issue Tracking, Vendor Advisory () https://vaadin.com/security/cve-2022-29567 - Issue Tracking, Vendor Advisory
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 5.7

07 Jun 2022, 16:59

Type Values Removed Values Added
CPE cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CWE CWE-200
References (MISC) https://vaadin.com/security/cve-2022-29567 - (MISC) https://vaadin.com/security/cve-2022-29567 - Issue Tracking, Vendor Advisory
References (MISC) https://github.com/vaadin/flow-components/pull/3046 - (MISC) https://github.com/vaadin/flow-components/pull/3046 - Issue Tracking, Patch, Third Party Advisory

24 May 2022, 15:23

Type Values Removed Values Added
New CVE

Information

Published : 2022-05-24 15:15

Updated : 2024-11-21 06:59


NVD link : CVE-2022-29567

Mitre link : CVE-2022-29567

CVE.ORG link : CVE-2022-29567


JSON object : View

Products Affected

vaadin

  • vaadin
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor