5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29567

GHSA ID

GHSA-qfr3-323w-qv27

EPSS Score

0.38521%

CWE

CWE-200

Published

5/25/2022

Updated

5/15/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29567

CVE-2022-29567: Possible information disclosure inside TreeGrid component with default data provider

Description

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29567

GHSA ID

GHSA-qfr3-323w-qv27

EPSS Score

0.38521%

CWE

CWE-200

Published

5/25/2022

Updated

5/15/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.vaadin:vaadin	maven	>= 14.8.5, < 14.8.10	14.8.10
com.vaadin:vaadin	maven	>= 22.0.6, < 22.0.15	22.0.15
com.vaadin:vaadin	maven	>= 23.0.0, < 23.0.9	23.0.9
com.vaadin:vaadin-grid-flow	maven	>= 14.8.5, < 14.8.10	14.8.10
com.vaadin:vaadin-grid-flow	maven	>= 22.0.6, < 22.0.15	22.0.15
com.vaadin:vaadin-grid-flow	maven	>= 23.0.0.beta2, < 23.0.9	23.0.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using Object::toString() as the default key provider in TreeGrid's data communication. The GitHub PR #3046 shows the fix replaced this with numeric IDs, explicitly addressing the toString() exposure. The affected methods are core data provider initialization points in TreeGrid.java, where the default key provider would be set unless explicitly overridden. The high confidence comes from direct evidence in commit messages and the patching strategy focused on these methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription T** ****ult *on*i*ur*tion o* * Tr***ri* *ompon*nt us*s O*j**t::toStrin* *s * k*y on t** *li*nt-si** *n* s*rv*r *ommuni**tion in V***in **.*.* t*rou** **.*.*, **.*.* t*rou** **.*.**, **.*.*.**t** t*rou** **.*.* *n* **.*.*.*lp*** t*rou

Reasoning

T** vuln*r**ility st*ms *rom usin* `O*j**t::toStrin*()` *s t** ****ult k*y provi**r in Tr***ri*'s **t* *ommuni**tion. T** *it*u* PR #**** s*ows t** *ix r*pl**** t*is wit* num*ri* I*s, *xpli*itly ***r*ssin* t** `toStrin*()` *xposur*. T** *****t** m*t*

5.7

Basic Information

Concerned about an active attack path?

CVE-2022-29567: Possible information disclosure inside TreeGrid component with default data provider

Description

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI