{"id":"CVE-2020-36319","details":"Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController","aliases":["GHSA-rjww-2x8v-m9v9"],"modified":"2026-04-12T00:00:42.990484Z","published":"2021-04-23T16:15:08.317Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2020-36319"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/8016"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/8051"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"4b6ca4330163c4e976b32d03880fe2154a9d1ca7"},{"fixed":"30a303ec4204dfa8cfc2664e320429194bc5f819"}],"database_specific":{"extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.0.6"}],"cpe":"cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["3.0.0","3.0.0.beta5","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36319.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"9efda1b1e0a27769eef9292dd7799d8fea77e633"},{"fixed":"be1c66928f900921032329388bc52bd548a33b31"}],"database_specific":{"extracted_events":[{"introduced":"15.0.0"},{"fixed":"15.0.5"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v15.0.0","v15.0.1","v15.0.2","v15.0.3","v15.0.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36319.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}