Login Sign Up

CVE-2020-36320

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause denial of service through resource exhaustion by submitting specially crafted email addresses that trigger inefficient regular expression processing in Vaadin's EmailValidator. It affects all applications using Vaadin framework versions 7.0.0 through 7.7.21 that perform email validation.

💻 Affected Systems

Products:
  • Vaadin Framework
Versions: 7.0.0 through 7.7.21
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using EmailValidator class is vulnerable. The vulnerability is in the framework itself, not dependent on specific configurations.

📦 What is this software?

Vaadin by Vaadin

View all CVEs affecting Vaadin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all users and requiring server restart.

🟠

Likely Case

Degraded application performance, increased response times, and potential service disruption for some users.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place.

🌐 Internet-Facing: HIGH - Publicly accessible applications are directly exposed to malicious input.
🏢 Internal Only: MEDIUM - Internal users could still exploit, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and can be performed with simple HTTP requests containing malicious email patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.7.22

Vendor Advisory: https://vaadin.com/security/cve-2020-36320

Restart Required: Yes

Instructions:

1. Update Vaadin dependency to version 7.7.22 or later in your project's build configuration (Maven/Gradle). 2. Rebuild and redeploy your application. 3. Restart application servers.

🔧 Temporary Workarounds

Input validation bypass

all

Disable or bypass the vulnerable EmailValidator by implementing custom email validation

Implement custom validation logic that doesn't use the vulnerable regex pattern

Rate limiting

all

Implement request rate limiting to prevent mass exploitation

Configure web server or application rate limiting rules

🧯 If You Can't Patch

  • Implement WAF rules to block requests with suspicious email patterns
  • Deploy monitoring for abnormal CPU usage patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check your project's pom.xml or build.gradle for Vaadin version 7.0.0-7.7.21

Check Version:

mvn dependency:tree | grep vaadin-server OR check build.gradle dependencies

Verify Fix Applied:

Verify Vaadin version is 7.7.22 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed validation attempts with unusual email patterns
  • Increased error rates in validation logs

Network Indicators:

  • High volume of requests to validation endpoints
  • Requests containing complex regex patterns in email fields

SIEM Query:

source="application_logs" AND (message="*EmailValidator*" OR message="*validation*error*") AND count > threshold

📊 Metadata

CVE ID: CVE-2020-36320
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36320, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)