Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
26 vulnerabilities found for flow by vaadin
CVE-2026-2742 (GCVE-0-2026-2742)
Vulnerability from nvd – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52
VLAI?
Title
Unauthorized session creation via reserved framework path access
Summary
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.
Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:42:57.456886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:44:47.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.14.0",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.6",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.1",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-server",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.7",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThan": "25.0.1",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAn authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u0026nbsp;applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\u003cbr\u003e\u003cbr\u003eAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\u003cbr\u003e\u003cbr\u003eUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u0026nbsp;23.0.0-23.6.6 to\u0026nbsp;23.6.7,\u0026nbsp;24.0.0 - 24.9.7 to\u0026nbsp;24.9.8, and\u0026nbsp;25.0.0-25.0.1 upgrade to\u0026nbsp;25.0.2 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u00a0applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\n\nAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\n\nUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u00a023.0.0-23.6.6 to\u00a023.6.7,\u00a024.0.0 - 24.9.7 to\u00a024.9.8, and\u00a025.0.0-25.0.1 upgrade to\u00a025.0.2 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T10:52:30.637Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2026-2742"
},
{
"url": "https://github.com/vaadin/flow/pull/22998"
},
{
"url": "https://github.com/vaadin/flow/pull/23037"
},
{
"url": "https://github.com/vaadin/flow/pull/23057"
},
{
"url": "https://github.com/vaadin/flow/pull/23052"
},
{
"url": "https://github.com/vaadin/flow/pull/23034"
},
{
"url": "https://github.com/vaadin/flow/pull/23033"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized session creation via reserved framework path access",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2026-2742",
"datePublished": "2026-03-10T12:08:48.738Z",
"dateReserved": "2026-02-19T12:00:12.056Z",
"dateUpdated": "2026-03-16T10:52:30.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2741 (GCVE-0-2026-2741)
Vulnerability from nvd – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52
VLAI?
Title
Zip Slip Path Traversal on Node Unpack
Summary
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.
Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.
Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:45:35.148213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:45:42.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.14.0",
"status": "affected",
"version": "14.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.6",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.2",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-server",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "2.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.7",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.9",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-build-tools",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "25.0.3",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003e\u003cp\u003eSpecially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \u003cbr\u003e\u003cbr\u003eVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\u003c/p\u003e\n\u003cp\u003eUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \n\nVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\n\n\nUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T10:52:34.173Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2026-2741"
},
{
"url": "https://github.com/vaadin/flow/pull/23125"
},
{
"url": "https://github.com/vaadin/flow/pull/23131"
},
{
"url": "https://github.com/vaadin/flow/pull/23135"
},
{
"url": "https://github.com/vaadin/flow/pull/23133"
},
{
"url": "https://github.com/vaadin/flow/pull/23130"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Zip Slip Path Traversal on Node Unpack",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUse a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Use a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2026-2741",
"datePublished": "2026-03-10T12:08:30.515Z",
"dateReserved": "2026-02-19T11:59:57.103Z",
"dateUpdated": "2026-03-16T10:52:34.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-31412 (GCVE-0-2021-31412)
Vulnerability from nvd – Published: 2021-06-24 11:33 – Updated: 2024-09-16 16:18
VLAI?
Title
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Severity ?
5.3 (Medium)
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 10.0.18 (custom) Affected: 11.0.0 , < unspecified (custom) Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
Date Public ?
2021-06-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295 Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:33:10.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:31:00.000Z",
"ID": "CVE-2021-31412",
"STATE": "PUBLIC",
"TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.18"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "1.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1295 Debug Messages Revealing Unnecessary Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31412",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"name": "https://github.com/vaadin/flow/pull/11107",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11107"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31412",
"datePublished": "2021-06-24T11:33:10.535Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:18:47.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31411 (GCVE-0-2021-31411)
Vulnerability from nvd – Published: 2021-05-05 18:15 – Updated: 2024-09-16 18:08
VLAI?
Title
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Severity ?
6.3 (Medium)
CWE
- CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.3 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-05-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.3",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:15:13.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-05-04T08:17:00.000Z",
"ID": "CVE-2021-31411",
"STATE": "PUBLIC",
"TITLE": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.3"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.9"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31411",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"name": "https://github.com/vaadin/flow/pull/10640",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10640"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31411",
"datePublished": "2021-05-05T18:15:13.220Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:08:17.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31408 (GCVE-0-2021-31408)
Vulnerability from nvd – Published: 2021-04-23 16:07 – Updated: 2024-09-17 02:06
VLAI?
Title
Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
Summary
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
18.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-04-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-client",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:07:16.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-20T08:17:00.000Z",
"ID": "CVE-2021-31408",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.3 +1"
}
]
}
},
{
"product_name": "flow-client",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31408",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"name": "https://github.com/vaadin/flow/pull/10577",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10577"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31408",
"datePublished": "2021-04-23T16:07:16.629Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:19.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31407 (GCVE-0-2021-31407)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-16 17:17
VLAI?
Title
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Summary
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
Severity ?
8.6 (High)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
19.0.0
Affected: 12.0.0 , < * (custom) |
|||||||
|
|||||||||
Date Public ?
2021-03-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"ID": "CVE-2021-31407",
"STATE": "PUBLIC",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "12.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.9 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.2.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.1 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31407",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "https://github.com/vaadin/osgi/issues/50",
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"name": "https://github.com/vaadin/flow/pull/10229",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "https://github.com/vaadin/flow/pull/10269",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31407",
"datePublished": "2021-04-23T16:05:41.485Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:17:43.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31406 (GCVE-0-2021-31406)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-17 00:02
VLAI?
Title
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Summary
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
Severity ?
4 (Medium)
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
19.0.0
Affected: 15.0.0 , < * (custom) |
|||||||
|
|||||||||
Date Public ?
2021-03-19 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-03-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"ID": "CVE-2021-31406",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.6 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.3 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "6.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31406",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"name": "https://github.com/vaadin/flow/pull/10157",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10157"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31406",
"datePublished": "2021-04-23T16:05:41.375Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:02:31.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31405 (GCVE-0-2021-31405)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-17 02:32
VLAI?
Title
Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
Summary
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.6 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-03-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.726Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.6",
"versionType": "custom"
}
]
},
{
"product": "vaadin-text-field-flow",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"ID": "CVE-2021-31405",
"STATE": "PUBLIC",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.6"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.3 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "17.0.10 +1"
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.4"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.3.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "4.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31405",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"name": "https://github.com/vaadin/flow-components/pull/442",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/442"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31405",
"datePublished": "2021-04-23T16:05:41.259Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:32:47.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31404 (GCVE-0-2021-31404)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-16 23:46
VLAI?
Title
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
Severity ?
4 (Medium)
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-02-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
},
{
"at": "14.0.0",
"status": "unaffected"
},
{
"at": "14.0.0",
"status": "affected"
},
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
},
{
"at": "18.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
},
{
"at": "2.0.0",
"status": "unaffected"
},
{
"at": "2.0.0",
"status": "affected"
},
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
},
{
"at": "5.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"ID": "CVE-2021-31404",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.16 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31404",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"name": "https://github.com/vaadin/flow/pull/9875",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9875"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31404",
"datePublished": "2021-04-23T16:05:41.141Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:26.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36321 (GCVE-0-2020-36321)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-17 00:45
VLAI?
Title
Directory traversal in development mode handler in Vaadin 14 and 15-17
Summary
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
Severity ?
5.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2020-11-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"ID": "CVE-2020-36321",
"STATE": "PUBLIC",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.1 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36321",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"name": "https://github.com/vaadin/flow/pull/9392",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9392"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36321",
"datePublished": "2021-04-23T16:05:40.889Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:45:59.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36319 (GCVE-0-2020-36319)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-16 23:45
VLAI?
Title
Potential sensitive data exposure in applications using Vaadin 15
Summary
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
Severity ?
CWE
- CWE-200 - Information Exposure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
15.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2020-04-21 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"datePublic": "2020-04-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential sensitive data exposure in applications using Vaadin 15",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"ID": "CVE-2020-36319",
"STATE": "PUBLIC",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "15.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "3.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36319",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"name": "https://github.com/vaadin/flow/pull/8016",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"name": "https://github.com/vaadin/flow/pull/8051",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8051"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36319",
"datePublished": "2021-04-23T16:05:40.661Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:45:49.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25027 (GCVE-0-2019-25027)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-17 01:15
VLAI?
Title
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Summary
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL
Severity ?
6.1 (Medium)
CWE
- CWE-81 - Improper Neutralization of Script in an Error Message Web Page
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2019-05-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-81",
"description": "CWE-81 Improper Neutralization of Script in an Error Message Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"ID": "CVE-2019-25027",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "13.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.10 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.4.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2019-25027",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"name": "https://github.com/vaadin/flow/pull/5498",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/5498"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2019-25027",
"datePublished": "2021-04-23T16:05:40.442Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:15:38.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-25007 (GCVE-0-2018-25007)
Vulnerability from nvd – Published: 2021-04-23 16:05 – Updated: 2024-09-16 18:18
VLAI?
Title
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Summary
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2018-11-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-11-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"ID": "CVE-2018-25007",
"STATE": "PUBLIC",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "11.0.2 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2018-25007",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"name": "https://github.com/vaadin/flow/pull/4774",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/4774"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2018-25007",
"datePublished": "2021-04-23T16:05:40.338Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:18:49.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-2742 (GCVE-0-2026-2742)
Vulnerability from cvelistv5 – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52
VLAI?
Title
Unauthorized session creation via reserved framework path access
Summary
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.
Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:42:57.456886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:44:47.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.14.0",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.6",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.1",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-server",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.7",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThan": "25.0.1",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eAn authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u0026nbsp;applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\u003cbr\u003e\u003cbr\u003eAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\u003cbr\u003e\u003cbr\u003eUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u0026nbsp;23.0.0-23.6.6 to\u0026nbsp;23.6.7,\u0026nbsp;24.0.0 - 24.9.7 to\u0026nbsp;24.9.8, and\u0026nbsp;25.0.0-25.0.1 upgrade to\u0026nbsp;25.0.2 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u00a0applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\n\nAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\n\nUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u00a023.0.0-23.6.6 to\u00a023.6.7,\u00a024.0.0 - 24.9.7 to\u00a024.9.8, and\u00a025.0.0-25.0.1 upgrade to\u00a025.0.2 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T10:52:30.637Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2026-2742"
},
{
"url": "https://github.com/vaadin/flow/pull/22998"
},
{
"url": "https://github.com/vaadin/flow/pull/23037"
},
{
"url": "https://github.com/vaadin/flow/pull/23057"
},
{
"url": "https://github.com/vaadin/flow/pull/23052"
},
{
"url": "https://github.com/vaadin/flow/pull/23034"
},
{
"url": "https://github.com/vaadin/flow/pull/23033"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthorized session creation via reserved framework path access",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2026-2742",
"datePublished": "2026-03-10T12:08:48.738Z",
"dateReserved": "2026-02-19T12:00:12.056Z",
"dateUpdated": "2026-03-16T10:52:30.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2741 (GCVE-0-2026-2741)
Vulnerability from cvelistv5 – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52
VLAI?
Title
Zip Slip Path Traversal on Node Unpack
Summary
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2.
Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.
Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:45:35.148213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:45:42.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.14.0",
"status": "affected",
"version": "14.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.6",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.2",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-server",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "2.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.7",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.9",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-build-tools",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "25.0.3",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003e\u003cp\u003eSpecially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \u003cbr\u003e\u003cbr\u003eVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\u003c/p\u003e\n\u003cp\u003eUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \n\nVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\n\n\nUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T10:52:34.173Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2026-2741"
},
{
"url": "https://github.com/vaadin/flow/pull/23125"
},
{
"url": "https://github.com/vaadin/flow/pull/23131"
},
{
"url": "https://github.com/vaadin/flow/pull/23135"
},
{
"url": "https://github.com/vaadin/flow/pull/23133"
},
{
"url": "https://github.com/vaadin/flow/pull/23130"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Zip Slip Path Traversal on Node Unpack",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUse a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Use a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2026-2741",
"datePublished": "2026-03-10T12:08:30.515Z",
"dateReserved": "2026-02-19T11:59:57.103Z",
"dateUpdated": "2026-03-16T10:52:34.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-31412 (GCVE-0-2021-31412)
Vulnerability from cvelistv5 – Published: 2021-06-24 11:33 – Updated: 2024-09-16 16:18
VLAI?
Title
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Severity ?
5.3 (Medium)
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 10.0.18 (custom) Affected: 11.0.0 , < unspecified (custom) Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
Date Public ?
2021-06-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295 Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:33:10.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:31:00.000Z",
"ID": "CVE-2021-31412",
"STATE": "PUBLIC",
"TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.18"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "1.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1295 Debug Messages Revealing Unnecessary Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31412",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"name": "https://github.com/vaadin/flow/pull/11107",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11107"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31412",
"datePublished": "2021-06-24T11:33:10.535Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:18:47.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31411 (GCVE-0-2021-31411)
Vulnerability from cvelistv5 – Published: 2021-05-05 18:15 – Updated: 2024-09-16 18:08
VLAI?
Title
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Severity ?
6.3 (Medium)
CWE
- CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.3 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-05-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.3",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:15:13.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-05-04T08:17:00.000Z",
"ID": "CVE-2021-31411",
"STATE": "PUBLIC",
"TITLE": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.3"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.9"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31411",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"name": "https://github.com/vaadin/flow/pull/10640",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10640"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31411",
"datePublished": "2021-05-05T18:15:13.220Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:08:17.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31408 (GCVE-0-2021-31408)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:07 – Updated: 2024-09-17 02:06
VLAI?
Title
Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
Summary
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
18.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-04-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-client",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:07:16.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-20T08:17:00.000Z",
"ID": "CVE-2021-31408",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.3 +1"
}
]
}
},
{
"product_name": "flow-client",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31408",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"name": "https://github.com/vaadin/flow/pull/10577",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10577"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31408",
"datePublished": "2021-04-23T16:07:16.629Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:19.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31407 (GCVE-0-2021-31407)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-16 17:17
VLAI?
Title
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Summary
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
Severity ?
8.6 (High)
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
19.0.0
Affected: 12.0.0 , < * (custom) |
|||||||
|
|||||||||
Date Public ?
2021-03-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"ID": "CVE-2021-31407",
"STATE": "PUBLIC",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "12.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.9 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.2.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.1 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31407",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "https://github.com/vaadin/osgi/issues/50",
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"name": "https://github.com/vaadin/flow/pull/10229",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "https://github.com/vaadin/flow/pull/10269",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31407",
"datePublished": "2021-04-23T16:05:41.485Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:17:43.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31406 (GCVE-0-2021-31406)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-17 00:02
VLAI?
Title
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Summary
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
Severity ?
4 (Medium)
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
19.0.0
Affected: 15.0.0 , < * (custom) |
|||||||
|
|||||||||
Date Public ?
2021-03-19 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-03-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"ID": "CVE-2021-31406",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.6 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.3 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "6.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31406",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"name": "https://github.com/vaadin/flow/pull/10157",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10157"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31406",
"datePublished": "2021-04-23T16:05:41.375Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:02:31.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31405 (GCVE-0-2021-31405)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-17 02:32
VLAI?
Title
Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
Summary
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.6 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-03-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.726Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.6",
"versionType": "custom"
}
]
},
{
"product": "vaadin-text-field-flow",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"ID": "CVE-2021-31405",
"STATE": "PUBLIC",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.6"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.3 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "17.0.10 +1"
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.4"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.3.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "4.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31405",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"name": "https://github.com/vaadin/flow-components/pull/442",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/442"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31405",
"datePublished": "2021-04-23T16:05:41.259Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:32:47.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31404 (GCVE-0-2021-31404)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-16 23:46
VLAI?
Title
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
Severity ?
4 (Medium)
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-02-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
},
{
"at": "14.0.0",
"status": "unaffected"
},
{
"at": "14.0.0",
"status": "affected"
},
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
},
{
"at": "18.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
},
{
"at": "2.0.0",
"status": "unaffected"
},
{
"at": "2.0.0",
"status": "affected"
},
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
},
{
"at": "5.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"ID": "CVE-2021-31404",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.16 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31404",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"name": "https://github.com/vaadin/flow/pull/9875",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9875"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31404",
"datePublished": "2021-04-23T16:05:41.141Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:26.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36321 (GCVE-0-2020-36321)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-17 00:45
VLAI?
Title
Directory traversal in development mode handler in Vaadin 14 and 15-17
Summary
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
Severity ?
5.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2020-11-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"ID": "CVE-2020-36321",
"STATE": "PUBLIC",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.1 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36321",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"name": "https://github.com/vaadin/flow/pull/9392",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9392"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36321",
"datePublished": "2021-04-23T16:05:40.889Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:45:59.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36319 (GCVE-0-2020-36319)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-16 23:45
VLAI?
Title
Potential sensitive data exposure in applications using Vaadin 15
Summary
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
Severity ?
CWE
- CWE-200 - Information Exposure
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
15.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2020-04-21 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"datePublic": "2020-04-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential sensitive data exposure in applications using Vaadin 15",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"ID": "CVE-2020-36319",
"STATE": "PUBLIC",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "15.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "3.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36319",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"name": "https://github.com/vaadin/flow/pull/8016",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"name": "https://github.com/vaadin/flow/pull/8051",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8051"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36319",
"datePublished": "2021-04-23T16:05:40.661Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:45:49.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25027 (GCVE-0-2019-25027)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-17 01:15
VLAI?
Title
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Summary
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL
Severity ?
6.1 (Medium)
CWE
- CWE-81 - Improper Neutralization of Script in an Error Message Web Page
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2019-05-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-81",
"description": "CWE-81 Improper Neutralization of Script in an Error Message Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"ID": "CVE-2019-25027",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "13.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.10 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.4.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2019-25027",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"name": "https://github.com/vaadin/flow/pull/5498",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/5498"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2019-25027",
"datePublished": "2021-04-23T16:05:40.442Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:15:38.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-25007 (GCVE-0-2018-25007)
Vulnerability from cvelistv5 – Published: 2021-04-23 16:05 – Updated: 2024-09-16 18:18
VLAI?
Title
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Summary
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Date Public ?
2018-11-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-11-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40.000Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"ID": "CVE-2018-25007",
"STATE": "PUBLIC",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "11.0.2 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2018-25007",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"name": "https://github.com/vaadin/flow/pull/4774",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/4774"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2018-25007",
"datePublished": "2021-04-23T16:05:40.338Z",
"dateReserved": "2021-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:18:49.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}