Vaadin Framework Portlet Information Disclosure Vulnerability Network Vulnerability

Summary

This web application is running with the Vaadin Framework which is prone to information-disclosure because the application fails to properly sanitize user-supplied input.

Impact

A remote user who has access to a portlet on the portal could be able to read files in the portlet deployment directory using specially crafted resource requests provided the attacker knows the file name.

Solution

Upgrade to Vaadin Framework version 6.8.10 or later / 7.0.4 or later For updates refer to http://www.vaadin.com/releases

Insight

This flaw exists due to an existing unused code from AbstractApplicationPortlet.

Affected

Vaadin Framework versions from 6.2.0 up to 6.8.9 / from 7.0.0 up to 7.0.3

Detection

Check the version.

References

http://www.vaadin.com/download/release/6.8/6.8.10/release-notes.html
http://www.vaadin.com/download/release/7.0/7.0.4/release-notes.html

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache Continuum Cross Site Scripting Vulnerability
Admidio get_file.php Remote File Disclosure Vulnerability
Apache Tomcat SecurityConstraints Security Bypass Vulnerability
APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities