Vaadin Vulnerabilities


Scanning a project based on CUBA Platform with DependencyCheck (GitHub - jeremylong/DependencyCheck: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.) gives the following vulnerabilities that look like related to CUBA with high severity (and highest confidence, evidence count > 30 for all of them):

  1. vaadin-compatibility-server-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:*

  2. vaadin-compatibility-shared-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:*

  3. vaadin-push-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:*

  4. vaadin-server-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:*

  5. vaadin-shared-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:*

Could you advise on the fixes or planned fixes for these vulnerabilities please? Is Jmix also vulnerable?

Hi Maxim,

Yes, we are going to update CUBA 7.2 to the latest Vaadin 8.14, perhaps in the next few weeks.
Jmix 1.1 is already on 8.14.


1 Like

Hi Konstantin,

I would like to follow up the Vaadin 8.14


Hi CK,

CUBA was updated to Vaadin 8.14 in version 7.2.17 last December.


1 Like