Vulnerability DatabaseCVE-2020-36319

CVE-2020-36319:
Java vulnerability analysis and mitigation

Overview

CVE-2020-36319 affects Vaadin Flow server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4). The vulnerability involves an insecure configuration of default ObjectMapper that could potentially expose sensitive data in applications using certain Spring features. The issue was discovered and reported by Christian Knoop, with a CVSS v3.1 base score of 3.1 (Low severity) (Vaadin Security).

Technical details

The vulnerability stems from the modification of Spring's default ObjectMapper bean to expose private and protected properties. This configuration change affects the com.vaadin:flow-server component and could lead to unintended exposure of sensitive information when used in conjunction with Spring features like @RestController. The vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (Vaadin Security).

Impact

The vulnerability could result in the exposure of sensitive data if the application uses Spring features like @RestController alongside the affected Vaadin versions. The impact is considered low severity with a CVSS base score of 3.1, requiring network access and low privileges for exploitation (Vaadin Security).

Mitigation and workarounds

The vulnerability was fixed in Vaadin 15.0.5 (flow-server 3.0.6) by modifying only a separate ObjectMapper instance that isn't shared with other Spring functionality. Users of affected versions (Vaadin 15.0.0 - 15.0.4) should upgrade to version 15.0.5 or newer to mitigate the vulnerability (Vaadin Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

6.5

Score

Published April 23, 2021

Severity MEDIUM

CNA Score 3.1

Affected Technologies

Java
NixOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 59.3

Exploitation Probability (EPSS) 0.4

Affected packages and libraries

flow
com.vaadin:flow-server

Sources

NVD
GitHub Advisory Database
- Maven Severity LOWHas FixAdded at: Nov 23, 2021
Homebrew
- Homebrew Severity MEDIUMHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity MEDIUMHas FixAdded at: Nov 01, 2023

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66516	CRITICAL	10	Java	tika	No	Yes	Dec 04, 2025
CVE-2025-66566	HIGH	8.2	Java	org.lz4:lz4-java	No	Yes	Dec 05, 2025
CVE-2025-66623	HIGH	7.4	Java	io.strimzi:strimzi	No	Yes	Dec 05, 2025
CVE-2025-11222	MEDIUM	6.1	Java	com.linecorp.centraldogma:centraldogma-server-auth-shiro	No	Yes	Dec 04, 2025
CVE-2025-66453	MEDIUM	5.5	Java	org.mozilla:rhino	No	Yes	Dec 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2020-36319: Java vulnerability analysis and mitigation