Vaadin 14 vulnerabilities

[aleuC]

trafficstars

Hi, we were analysing the vulnerabilities of our Vaadin 14 applications with the latest version (14.8.4) and these vulnerabilities related to vaadin dependencies were found:

[ERROR] ansi-html:0.0.7: CVE-2021-23424
[ERROR] ansi-regex:4.1.0: CVE-2021-3807
[ERROR] btoa:1.2.1: CWE-125: Out-of-bounds Read
[ERROR] faye-websocket:0.10.0: CVE-2020-15133
[ERROR] follow-redirects:1.14.1: CVE-2022-0536, CVE-2022-0155
[ERROR] glob-parent:3.1.0: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[ERROR] highcharts:6.1.4: CVE-2021-29489, CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[ERROR] jackson-databind-2.9.10.4.jar: CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-36180, CVE-2020-14195, CVE-2020-24616, CVE-2020-36182, CVE-2020-36181, CVE-2020-25649, CVE-2020-35491, CVE-2020-36184, CVE-2020-35490, CVE-2020-36183, CVE-2020-35728, CVE-2020-24750, CVE-2021-20190, CVE-2020-36186, CVE-2020-36185, CVE-2020-36188, CVE-2020-36187, CVE-2020-36179, CVE-2020-36189
[ERROR] tar:6.1.0: CVE-2021-32803, CVE-2021-32804, CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[ERROR] url-parse:1.5.1: CVE-2021-3664, CVE-2022-0512
[ERROR] vaadin-board-2.2.0.jar: CVE-2011-0509
[ERROR] vaadin-charts-6.3.3.jar: CVE-2011-0509
[ERROR] vaadin-confirm-dialog-1.3.0.jar: CVE-2011-0509
[ERROR] vaadin-cookie-consent-1.2.0.jar: CVE-2011-0509
[ERROR] vaadin-crud-1.3.1.jar: CVE-2011-0509
[ERROR] vaadin-grid-pro-2.3.0.jar: CVE-2011-0509

did you know about them? how do you handle them? Thanks

[samie]

Hi, need to have a good look, but was this produced by dependency-check-maven? Unfortunately it also reports many false positives. E.g. CVE-2011-0509 is not applicable anything beyond Vaadin 6.