4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
31.4%
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. See CWE-400: Uncontrolled Resource Consumption Description ComboBox and Grid components in Vaadin 8 use com.vaadin.data.provider.DataCommunicator class to retrieve rows of data from the back end data source. Missing check for number of requested rows in DataCommunicator allows authenticated network attackers who have access to the view with affected ComboBox or Grid components to request an arbitrary amount of data. If the underlying dataset is big enough, it may cause heap exhaustion and, therefore, impact service availability. This vulnerability cannot not cause execution of untrusted code or disclosure of sensitive information. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 8.0.0 - 8.14.0 Upgrade to 8.14.1 or newer 8 version Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:vaadin-server 8.0.0 - 8.14.0 ≥ 8.14.1 References PR: https://github.com/vaadin/framework/pull/12415
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
31.4%