CVE-2020-36319

low-risk
Published 2021-04-23

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10 Low
NETWORK / HIGH complexity

Affected Products (2)

Flow

Affected Vendors

Vaadin

References (6)

Patch https://github.com/vaadin/flow/pull/8016
Patch https://github.com/vaadin/flow/pull/8051
Vendor Advisory https://vaadin.com/security/cve-2020-36319
Patch https://github.com/vaadin/flow/pull/8016
Patch https://github.com/vaadin/flow/pull/8051
Vendor Advisory https://vaadin.com/security/cve-2020-36319
19
/ 100
low-risk
Severity 11/34 · Low
Exploitability 1/34 · Minimal
Exposure 7/34 · Low