GHSA-qcgx-crrx-38v5

Suggest an improvement
Source
https://github.com/advisories/GHSA-qcgx-crrx-38v5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-qcgx-crrx-38v5/GHSA-qcgx-crrx-38v5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qcgx-crrx-38v5
Aliases
Published
2021-10-13T18:54:09Z
Modified
2024-05-15T05:28:16.618627Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Denial of service in DataCommunicator class in Vaadin 8
Details

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

Database specific
{
    "nvd_published_at": "2021-10-13T11:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-13T17:39:24Z"
}
References

Affected packages

Maven / com.vaadin:vaadin-server

Package

Name
com.vaadin:vaadin-server
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/vaadin-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.6
Fixed
8.14.1

Affected versions

8.*

8.0.6
8.0.7
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.7.0.beta1
8.7.0
8.7.1
8.7.2
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.9.4
8.10.0
8.10.1
8.10.2
8.10.3
8.10.4
8.10.5
8.11.0
8.11.1
8.11.2
8.11.3
8.12.0
8.12.1
8.12.2
8.12.3
8.12.4
8.13.0
8.13.1
8.13.2
8.13.3
8.14.0