Description
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
Remediation
References
https://github.com/vaadin/flow/pull/9392
https://vaadin.com/security/cve-2020-36321
Related Vulnerabilities
CVE-2023-30543 Vulnerability in npm package @web3-react/coinbase-wallet
CVE-2021-21307 Vulnerability in maven package org.lucee:lucee
CVE-2022-40309 Vulnerability in maven package org.apache.archiva:maven2-repository
CVE-2017-15879 Vulnerability in npm package keystone
CVE-2018-1000632 Vulnerability in maven package org.jenkins-ci.dom4j:dom4j