Vaadin Javascript Injection (7.7.9)

yhuang · October 19, 2020, 11:07am

Hi Knimer

Knime server 4.11/4.10/… uses Vaadin 7.7.9 for embeded web forms.

(Search Vaadin)

vaadin-client-compiled-7.7.9.jar
vaadin-server-7.7.9.jar
vaadin-shared-7.7.9.jar
vaadin-themes-7.7.9.jar

Vaadin 7.7.9 is potentially vulnerable to Java injection attack –
https://www.mageni.net/vulnerability/vaadin-javascript-injection-107226

Any security concerns?

RolandBurger · October 19, 2020, 3:14pm

Hi @yhuang,

With KNIME Server 4.11, we released a new WebPortal which does not use Vaadin anymore. The old WebPortal can be deactivated if needed (set com.knime.server.webportal.disable_legacy=true in knime-server.config)

Cheers,
Roland