CVE-2020-36321
MEDIUMVaadin Flow 2.0.0-2.4.1 and Vaadin 14.0.0-14.4.2 - Path Traversal via Development Mode Handler
Title source: llmDescription
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://vaadin.com/security/cve-2020-36321
Patch, Third Party Advisory x_refsource_misc
https://github.com/vaadin/flow/pull/9392
Scores
CVSS v3
5.9
EPSS
0.0121
EPSS Percentile
64.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (3)
com.vaadin/flow-server
3.0.0 - 5.0.0Maven
vaadin/flow
2.0.0 - 2.4.2
vaadin/vaadin
14.0.0 - 14.4.3
Published
Apr 23, 2021
Tracked Since
Feb 18, 2026