GHSA-j9wr-49vq-rm5g: 
Java vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-j9wr-49vq-rm5g) was discovered in the OSGi integration of Vaadin's flow-server component, affecting versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9) and 6.0.0 through 6.0.1 (Vaadin 19.0.0). The vulnerability was disclosed on April 16, 2021, with a CVSS score of 8.6, and allows attackers to access application classes and resources on the server through crafted HTTP requests (Vaadin Security, GitHub Advisory).

The vulnerability stems from the interaction between the Http Whiteboard specification in OSGi and VaadinServlet's static resource handling. The Http Whiteboard specification makes all resources inside a bundle/jar available via the ServletContext class for any Servlet registered within that bundle. The VaadinServlet class, through the StaticFileServer, then exposes all resources available in the ServletContext via HTTP. This behavior only affects resources within the same bundle as the servlet, as resources from other bundles remain inaccessible. The vulnerability is classified as CWE-402: Transmission of Private Resources into a New Sphere (Vaadin Security).

When exploited, this vulnerability allows attackers to access any Java class or static resource that is part of the same bundle as the registered servlet through the correct request URL. The attacker needs to know at least one entry point to the system that could provide information about accessible resources. This issue specifically impacts confidentiality with a 'High' rating while having no direct impact on integrity or availability (Vaadin Security).

The vulnerability has been patched in versions 14.4.10 and 19.0.1. Users of Vaadin 12-13 are advised to upgrade to 14.4.10 or newer as these versions are no longer supported. For the flow-server component specifically, users should upgrade to version 2.4.8 or later for versions 1.2.0-2.4.7, and to version 6.0.2 or later for versions 6.0.0-6.0.1 (Vaadin Security).