CVE-2023-25500

LOW3.5EPSS 0.30%

Vaadin vulnerable to possible information disclosure of class and method names in RPC response

發布日:2023/6/22修改日:2024/2/16

描述

### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500

受影響套件(2)

Maven/com.vaadin:flow-server>= 1.0.0, < 1.0.21
Maven/com.vaadin:vaadin>= 10.0.0, < 10.0.24

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25500
PATCHhttps://github.com/vaadin/platform
WEBhttps://github.com/vaadin/flow/pull/16935
WEBhttps://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
WEBhttps://vaadin.com/security/cve-2023-25500