{"id":"CVE-2022-29567","summary":"Possible information disclosure inside TreeGrid component with default data provider","details":"The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.","aliases":["GHSA-qfr3-323w-qv27"],"modified":"2026-05-18T05:53:46.904711353Z","published":"2022-05-24T14:20:19.452Z","database_specific":{"cwe_ids":["CWE-200"],"cna_assigner":"Vaadin","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29567.json"},"references":[{"type":"WEB","url":"https://vaadin.com/security/cve-2022-29567"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29567.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29567"},{"type":"FIX","url":"https://github.com/vaadin/flow-components/pull/3046"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/platform","events":[{"introduced":"bc402cf899942f74a62993f8e612af466bee056f"},{"last_affected":"807b2087b918f43525d5bd443e3608bf86583322"},{"introduced":"913a1d49e922efad85dbef6888b18bc011dc5650"},{"last_affected":"f2d230ec7a1ba939c7230723fac1089fad2b2006"},{"introduced":"5430e0a3e45842600792de19a6a6784761c96da4"},{"last_affected":"ab17ce191141b2f8bb69e6a7cf4a1db075904c4f"},{"introduced":"0"},{"last_affected":"0b73a5a157b036577d09a9f65559714246ab6e6e"},{"last_affected":"d9148ca59e6776a9a19a25f433d7e7d6b128f5cc"},{"last_affected":"fc60c72ff5837399ab2586c7471c0ebecc0747c8"},{"last_affected":"97a6e2c3b1d955cc55233f141a61e6bc34fbc9ee"},{"last_affected":"0ad2e4b13320ecb540c5ca52db736f589113dacd"},{"last_affected":"76f347ed2c4ad988a62ea5fb87b16e4faef646f8"},{"last_affected":"5e22e93635cbaae172c59939441645284029e168"},{"last_affected":"a4c9f2cb18bdb24fbffea34e79588ab83dfc7671"},{"last_affected":"1c505b3f9875b925113bed183136d8a357651e34"}],"database_specific":{"extracted_events":[{"introduced":"14.8.5"},{"last_affected":"14.8.9"},{"introduced":"22.0.6"},{"last_affected":"22.0.15"},{"introduced":"23.0.1"},{"last_affected":"23.0.8"},{"introduced":"0"},{"last_affected":"23.0.0-NA"},{"last_affected":"23.0.0-beta2"},{"last_affected":"23.0.0-beta3"},{"last_affected":"23.0.0-beta4"},{"last_affected":"23.0.0-rc1"},{"last_affected":"23.1.0-alpha1"},{"last_affected":"23.1.0-alpha2"},{"last_affected":"23.1.0-alpha3"},{"last_affected":"23.1.0-alpha4"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*"]}}],"versions":["22.0.15","23.0.8","23.1.0.alpha4","22.0.14","14.8.9","23.0.7","23.1.0.alpha3","14.8.8","22.0.13","23.0.6","23.1.0.alpha2","23.0.5","23.1.0.alpha1","22.0.12","14.8.7","23.0.4","22.0.11","14.8.6","23.0.3","23.0.2","22.0.10","14.8.5","22.0.9","22.0.8","23.0.1","23.0.0","22.0.7","23.0.0.rc1","23.0.0.beta4","22.0.6","23.0.0.beta3","23.0.0.beta2","23.0.0.beta1","23.0.0.alpha4","23.0.0.alpha3","23.0.0.alpha2","23.0.0.alpha1","22.0.0.beta3","22.0.0.beta2","22.0.0.beta1","22.0.0.alpha9","22.0.0.alpha8","22.0.0.alpha7","22.0.0.alpha6","22.0.0.alpha5","22.0.0.alpha4","22.0.0.alpha3","22.0.0.alpha2","22.0.0.alpha1","21.0.0.alpha10","21.0.0.alpha9","21.0.0.alpha8","21.0.0.alpha7","21.0.0.alpha6","21.0.0.alpha5","21.0.0.alpha4","21.0.0.alpha3","21.0.0.alpha2","21.0.0.alpha1","20.0.0.alpha8","20.0.0.alpha7","20.0.0.alpha6","20.0.0.alpha5","20.0.0.alpha4","20.0.0.alpha3","19.0.0.beta4","19.0.0.beta3","19.0.0.beta2","19.0.0.beta1","19.0.0.alpha5","19.0.0.alpha4","19.0.0.alpha3","19.0.0.alpha2","19.0.0.alpha1","18.0.0.beta2","18.0.0.beta1","18.0.0.alpha1","17.0.0","17.0.0.rc2","17.0.0.rc1","17.0.0.beta3","17.0.0.beta2","17.0.0.beta1","17.0.0.alpha7","17.0.0.alpha6","16.0.1","17.0.0.alpha5","17.0.0.alpha4","17.0.0.alpha3","17.0.0.alpha2","16.0.0.alpha3","16.0.0.alpha2","16.0.0.alpha1","15.0.0.rc1","15.0.0","15.0.0.beta5","15.0.0.beta4","15.0.0.beta3","15.0.0.beta2","15.0.0.beta1","15.0.0.alpha15","15.0.0.alpha14","15.0.0.alpha13","15.0.0.alpha12","15.0.0.alpha11","15.0.0.alpha10","15.0.0.alpha9","15.0.0.alpha6","15.0.0.alpha5","14.1.0.rc1","14.1.0.beta3","15.0.0.alpha4","15.0.0.alpha3","14.1.0.alpha5","14.1.0.alpha4","15.0.0.alpha2","14.1.0.alpha2","15.0.0.alpha1","14.0.2","14.0.1","14.0.0","14.0.0.rc9","14.0.0.rc7","14.0.0.rc6","14.0.0.rc5","14.0.0.rc4","14.0.0.rc3","14.0.0.rc2","14.0.0.rc1","14.0.0.beta3","14.0.0.beta2","14.0.0.beta1","14.0.0.alpha4","14.0.0.alpha3","14.0.0.alpha2","14.0.0.alpha1","13.0.1","13.0.0","13.0.0.beta3","13.0.0.beta2","13.0.0.beta1","13.0.0.alpha4","13.0.0.alpha3","13.0.0.alpha2","13.0.0.alpha1","12.0.0.beta2","12.0.0.beta1","12.0.0.alpha5","12.0.0.alpha4","12.0.0.alpha3","12.0.0.alpha2","12.0.0.alpha1","11.0.0.beta1","11.0.0.alpha1","10.0.2","10.0.1","10.0.0","10.0.0.rc5","10.0.0.rc4","10.0.0.rc3","10.0.0.rc2","10.0.0.rc1","10.0.0.beta11","10.0.0.beta10","10.0.0.beta9","10.0.0.beta8","10.0.0.beta7","10.0.0.beta6","10.0.0.beta5","10.0.0.beta4","10.0.0.beta3","10.0.0.beta2","10.0.0.beta1","10.0.0.alpha23","10.0.0.alpha22","10.0.0.alpha21","10.0.0.alpha20","10.0.0.alpha19","10.0.0.alpha18","10.0.0.alpha17","10.0.0.alpha16","10.0.0.alpha15","10.0.0.alpha14","10.0.0.alpha13","10.0.0.alpha12","10.0.0.alpha11","10.0.0.alpha10","10.0.0.alpha9","10.0.0.alpha8","10.0.0.alpha7","10.0.0-alpha6","10.0.0-alpha5","10.0.0.alpha4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29567.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"acb11dbc88fa66aaca85c84bdb9158338b0141ca"},{"last_affected":"19e688830a7b47ff74857555288733c9df8cef50"},{"introduced":"9e1bcd8531e89bac4f2c23e534e8d7235de05580"},{"last_affected":"0d051d2c8b12fd24f23d0849ef6eef777f6d3fc0"},{"introduced":"af8d02bb26203d51353e6d81c7ced532bf88bf68"},{"last_affected":"d8f21a82bf0d77712fd5632d45472daf02302ba0"},{"introduced":"0"},{"last_affected":"e107b1973a390cafc749031e033f37de7b9a4a1f"},{"last_affected":"797a094de8037349b5764a877c1cf070095a443c"},{"last_affected":"4d8a44f8340b59947b0dc811f49f95177dac9e37"},{"last_affected":"c4e342720c19f3256a0842760604cfacd5c6ef50"},{"last_affected":"d92b2d4097beb33316694c9e2587469e5207e8df"},{"last_affected":"7c68c2375108234d6cba8121f9511f71e31abf0f"},{"last_affected":"9f159ae5656090c2a95dff19294a0b12fc35adad"},{"last_affected":"ecba60cf1dd00d8576a506d6bf94cef81c4b23ff"},{"last_affected":"71398ebce2ffe466589ce3e6789f1cea6781931f"}],"database_specific":{"extracted_events":[{"introduced":"14.8.5"},{"last_affected":"14.8.9"},{"introduced":"22.0.6"},{"last_affected":"22.0.15"},{"introduced":"23.0.1"},{"last_affected":"23.0.8"},{"introduced":"0"},{"last_affected":"23.0.0-NA"},{"last_affected":"23.0.0-beta2"},{"last_affected":"23.0.0-beta3"},{"last_affected":"23.0.0-beta4"},{"last_affected":"23.0.0-rc1"},{"last_affected":"23.1.0-alpha1"},{"last_affected":"23.1.0-alpha2"},{"last_affected":"23.1.0-alpha3"},{"last_affected":"23.1.0-alpha4"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*","cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*"]}}],"versions":["v22.0.15","v23.0.8","v14.8.9","v22.0.14","v23.1.0-alpha4","v23.0.7","v23.1.0-alpha3","v23.0.6","v14.8.8","v22.0.13","v23.1.0-alpha2","v23.0.5","v23.1.0-alpha1","v23.0.4","v14.8.7","v22.0.12","v23.0.0","v23.0.3","v22.0.11","v14.8.6","v23.0.2","v22.0.10","v23.0.1","v22.0.9","v14.8.5","v22.0.8","v22.0.7","v23.0.0-rc1","v22.0.6","v23.0.0-beta4","v23.0.0-beta3","v23.0.0-beta2","v23.0.0-beta1","v23.0.0-alpha4","v23.0.0-alpha3","v23.0.0-alpha2","v23.0.0-alpha1","v22.0.0-beta3","v22.0.0-beta2","v22.0.0-beta1","v22.0.0-alpha9","v22.0.0-alpha8","v22.0.0-alpha7","v22.0.0-alpha6","v22.0.0-alpha5","v22.0.0-alpha4","v22.0.0-alpha3","v22.0.0-alpha2","v22.0.0-alpha1","v21.0.0-alpha10","v21.0.0-alpha0","v21.0.0-alpha9","v21.0.0-alpha8","v21.0.0-alpha7","v21.0.0-alpha6","v21.0.0-alpha5","v21.0.0-alpha4","v21.0.0-alpha3","v21.0.0-alpha2","v21.0.0-alpha1","v20.0.0-alpha8","v20.0.0-alpha7","v20.0.0-alpha6","v20.0.0-alpha5","v20.0.0-alpha4","v20.0.0-alpha3","v20.0.0-alpha2","v20.0.0-alpha1","v19.0.0-beta3","v19.0.0-beta2","v19.0.0-beta1","v19.0.0-alpha5","v19.0.0-alpha4","v19.0.0-alpha3","v19.0.0-alpha2","v19.0.0-alpha1","v18.0.0-beta2","v18.0.0-beta1","v18.0.0-alpha1","v17.0.0","v17.0.0-rc1","v17.0.0-rc2","v17.0.0-beta3","v17.0.0-beta2","v17.0.0-beta1","v17.0.0-alpha7","v17.0.0-alpha6","v17.0.0-alpha5","v17.0.0-alpha4","v17.0.0-alpha3","v17.0.0-alpha2","v17.0.0-alpha1","v16.0.0-alpha3","v16.0.0-alpha2","v16.0.0-alpha1","v15.0.0-rc1","v15.0.0-beta5","v15.0.0-beta4","v15.0.0-beta3","v15.0.0-beta2","v15.0.0-beta1","v15.0.0-alpha15","v15.0.0-alpha14","v15.0.0-alpha13","v15.0.0-alpha12","v15.0.0-alpha11","v15.0.0-alpha10","v15.0.0-alpha9","v15.0.0-alpha8","v15.0.0-alpha7","v15.0.0-alpha6","v15.0.0-alpha5","v15.0.0-alpha4","v15.0.0-alpha3","v15.0.0-alpha2","v15.0.0-alpha1","v14.0.2","v14.0.1","v14.0.0","v14.0.0-rc9","v14.0.0-rc8","v14.0.0-rc7","v14.0.0-rc6","v14.0.0-rc5","v14.0.0-rc4","v14.0.0-rc3","v14.0.0-rc2","v14.0.0-rc1","v14.0.0-beta3","v14.0.0-beta2","v14.0.0-beta1","v14.0.0-alpha4","v14.0.0-alpha3","v14.0.0-alpha2","v14.0.0-alpha1","v13.0.1","v13.0.0","v13.0.0-beta3","v13.0.0-beta2","v13.0.0-beta1","v13.0.0-alpha4","v13.0.0-alpha3","v13.0.0-alpha2","v13.0.0-alpha1","v12.0.2","v12.0.1","v12.0.0","v12.0.0-beta2","v12.0.0-beta1","v12.0.0-alpha5","v12.0.0-alpha4","v12.0.0-alpha3","v12.0.0-alpha2","v12.0.0-alpha1","v10.0.2","v11.0.0-beta1","v11.0.0-alpha1","v10.0.1","v10.0.0","v10.0.0-rc5","v10.0.0-rc4","v10.0.0-rc3","v10.0.0-rc2","v10.0.0-rc1","v10.0.0-beta11","v10.0.0-beta10","v10.0.0-beta9","v10.0.0-beta8","v10.0.0-beta7","v10.0.0-beta6","v10.0.0-beta5","v10.0.0-beta4","v10.0.0-beta3","v10.0.0-beta2","v10.0.0-beta1","v10.0.0-alpha23","v10.0.0-alpha22","v10.0.0-alpha21","v10.0.0-alpha20","v10.0.0-alpha19","v10.0.0-alpha18","v10.0.0-alpha17","v10.0.0-alpha16","v10.0.0-alpha15","v10.0.0-alpha14","v10.0.0-alpha13","v10.0.0-alpha12","v10.0.0-alpha11","v10.0.0-alpha10","v10.0.0-alpha9","v10.0.0-alpha8","v10.0.0-alpha7","v10.0.0-alpha6","v10.0.0-alpha5","v2.0.0-alpha3","v2.0.0-alpha2","v2.0.0-alpha1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29567.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}