Miggo Logo
Miggo Vulnerability Database
CVE-2020-36319

CVE-2020-36319:
Potential sensitive data exposure in applications using Vaadin 15

3.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36319
GHSA ID
GHSA-rjww-2x8v-m9v9
EPSS Score
0.6494%
CWE
CWE-200
Published
4/19/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.vaadin:flow-servermaven>= 3.0.0, < 3.0.63.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Vaadin's flow-server modifying Spring's default ObjectMapper configuration to include non-public fields. The key evidence comes from: 1) The CVE description explicitly mentions insecure ObjectMapper configuration 2) The fix in PR #8016 shows they stopped modifying Spring's default ObjectMapper and created a separate qualified instance 3) The security advisory states the patched version uses a separate ObjectMapper instance. The objectMapper method in VaadinConnectControllerConfiguration was the entry point where this insecure configuration occurred before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ins**ur* *on*i*ur*tion o* ****ult `O*j**tM*pp*r` in `*om.v***in:*low-s*rv*r` v*rsions *.*.* t*rou** *.*.* (V***in **.*.* t*rou** **.*.*) m*y *xpos* s*nsitiv* **t* i* t** *ppli**tion *lso us*s *.*. `@R*st*ontroll*r` - *ttps://v***in.*om/s**urity/*v*-

Reasoning

T** vuln*r**ility st*mm** *rom V***in's *low-s*rv*r mo*i*yin* Sprin*'s ****ult O*j**tM*pp*r *on*i*ur*tion to in*lu** non-pu*li* *i*l*s. T** k*y *vi**n** *om*s *rom: *) T** *V* **s*ription *xpli*itly m*ntions ins**ur* O*j**tM*pp*r *on*i*ur*tion *) T**