CVE-2020-36321
Directory traversal in development mode handler in Vaadin 14 and 15-17
5.9
MEDIUM
CVSS 3.1
EPSS 0.55%
Description
Improper URL validation in development mode handler in `com.vaadin:flow-server` versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder. - https://vaadin.com/security/cve-2020-36321
How to fix CVE-2020-36321
To remediate CVE-2020-36321, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.0 or later
Is CVE-2020-36321 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.0.0, < 5.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |