CVE-2023-25500: Exposure of Sensitive Information to an Unauthorized Actor

June 22, 2023 (updated June 30, 2023)

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

References

github.com/vaadin/flow/pull/16935
nvd.nist.gov/vuln/detail/CVE-2023-25500
vaadin.com/security/cve-2023-25500

Detect and mitigate CVE-2023-25500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →