{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"changes": [{"at": "15.0.0", "status": "affected"}, {"at": "18.0.0", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "14.0.0", "versionType": "custom"}]}, {"product": "flow-server", "vendor": "Vaadin", "versions": [{"changes": [{"at": "3.0.0", "status": "affected"}, {"at": "5.0.0", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}], "datePublic": "2020-11-26T00:00:00", "descriptions": [{"lang": "en", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-23T16:05:40", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vaadin/flow/pull/9392"}], "source": {"discovery": "INTERNAL"}, "title": "Directory traversal in development mode handler in Vaadin 14 and 15-17", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2020-11-26T09:17:00.000Z", "ID": "CVE-2020-36321", "STATE": "PUBLIC", "TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "14.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "14.4.2 +1"}, {"platform": "", "version_affected": ">=", "version_name": "", "version_value": "15.0.0"}, {"platform": "", "version_affected": "<", "version_name": "", "version_value": "18.0.0"}]}}, {"product_name": "flow-server", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "2.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "2.4.1 +1"}, {"platform": "", "version_affected": ">=", "version_name": "", "version_value": "3.0.0"}, {"platform": "", "version_affected": "<", "version_name": "", "version_value": "5.0.0"}]}}]}, "vendor_name": "Vaadin"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2020-36321", "refsource": "MISC", "url": "https://vaadin.com/security/cve-2020-36321"}, {"name": "https://github.com/vaadin/flow/pull/9392", "refsource": "MISC", "url": "https://github.com/vaadin/flow/pull/9392"}]}, "solution": [], "source": {"advisory": "", "defect": [], "discovery": "INTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:23:10.431Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vaadin/flow/pull/9392"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2020-36321", "datePublished": "2021-04-23T16:05:40.889444Z", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2024-09-17T00:45:59.853Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9F825A6-D1D8-4CA3-8595-1DEE1B99AF50", "versionEndExcluding": "2.4.2", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "796C0FAD-172F-4186-847E-5312F3664734", "versionEndExcluding": "5.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A09E99C-3093-4D42-A347-15364DB56297", "versionEndExcluding": "14.4.3", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "D41F68B2-1AD5-4800-8085-8CE37869946C", "versionEndExcluding": "18.0.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."}, {"lang": "es", "value": "Una comprobaci\u00f3n incorrecta de URL en el controlador del modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.4.1 (Vaadin versiones 14.0.0 hasta 14.4.2) y versiones 3.0 anteriores a 5.0 (Vaadin versiones 15 anteriores a 18), permiten al atacante pedir archivos arbitrarios almacenados fuera de la carpeta de recursos de la interfaz prevista"}], "id": "CVE-2020-36321", "lastModified": "2024-11-21T05:29:16.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-23T16:15:08.403", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/9392"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2020-36321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/9392"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2020-36321"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}