GHSA-76f4-fw33-6j2v: 
Java vulnerability analysis and mitigation

A low severity vulnerability (CVE-2020-36319) was discovered in Vaadin platform versions 15.0.0 through 15.0.4, specifically affecting the com.vaadin:flow-server component versions 3.0.0 through 3.0.5. The vulnerability was discovered by Christian Knoop and was published on April 16, 2021. The issue relates to an insecure configuration of the default ObjectMapper in the flow-server component that could potentially expose sensitive data in applications using certain Spring configurations (Vaadin Security).

The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. The technical issue stems from the modification of the default ObjectMapper bean in Spring to expose private and protected properties. This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory, Vaadin Security).

The vulnerability could lead to the exposure of sensitive data, particularly in applications that use @RestController alongside Vaadin. The impact is limited to confidentiality with no effect on integrity or availability of the system (Vaadin Security).

The vulnerability has been fixed in Vaadin version 15.0.5 and flow-server version 3.0.6. The fix involves modifying a separate ObjectMapper instance that isn't shared with other Spring functionality. Users of affected versions (15.0.0 - 15.0.4) are advised to upgrade to version 15.0.5 or newer (Vaadin Security).