Vaadin Vulnerabilities

maxim_vasin · November 1, 2021, 8:48am

Hello!

Scanning a project based on CUBA Platform with DependencyCheck (GitHub - jeremylong/DependencyCheck: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.) gives the following vulnerabilities that look like related to CUBA with high severity (and highest confidence, evidence count > 30 for all of them):

vaadin-compatibility-server-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:8.9.2.27:::::::*
vaadin-compatibility-shared-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:8.9.2.27:::::::*
vaadin-push-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:8.9.2.27:::::::*
vaadin-server-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:8.9.2.27:::::::*
vaadin-shared-8.9.2-27-cuba.jar - cpe:2.3:a:vaadin:vaadin:8.9.2.27:::::::*

Could you advise on the fixes or planned fixes for these vulnerabilities please? Is Jmix also vulnerable?

krivopustov · November 5, 2021, 1:12pm

Hi Maxim,

Yes, we are going to update CUBA 7.2 to the latest Vaadin 8.14, perhaps in the next few weeks.
Jmix 1.1 is already on 8.14.

Regards,
Konstantin

ckwan · May 6, 2022, 1:35am

Hi Konstantin,

I would like to follow up the Vaadin 8.14

Regards,
CK

krivopustov · May 6, 2022, 8:48am

Hi CK,

CUBA was updated to Vaadin 8.14 in version 7.2.17 last December.

Regards,
Konstantin