Vulnerabilites related to Vaadin - Vaadin
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 06:05
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow-components/pull/442 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31405 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow-components/pull/442 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31405 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74EA30C3-4C81-4C39-8EB8-75BB8A3BF1C9",
"versionEndExcluding": "2.3.3",
"versionStartIncluding": "2.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F972BCA-7736-42A8-A676-656183AB1096",
"versionEndExcluding": "4.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D36620-0467-4D06-9228-B1F21CD7CC45",
"versionEndExcluding": "14.4.4",
"versionStartIncluding": "14.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C540D0C-0B64-49FB-87B7-9D856C31154F",
"versionEndExcluding": "17.0.11",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n no segura de RegEx en el componente EmailField en com.vaadin:vaadin-text-field-flow versiones 2.0.4 hasta 2.3.2 (Vaadin versiones 14.0.6 hasta 14.4.3) y versiones 3.0.0 hasta 4.0.2 (Vaadin versiones 15.0.0 hasta 17.0.10), permite a atacantes causar un consumo de recursos no controlado mediante el env\u00edo de direcciones de correo electr\u00f3nico maliciosas"
}
],
"id": "CVE-2021-31405",
"lastModified": "2024-11-21T06:05:35.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.687",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31405"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 06:05
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/9875 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31404 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/9875 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31404 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6B73DE-1089-401A-8E6E-31938A277F6F",
"versionEndExcluding": "1.0.14",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA762C83-724A-4D14-B4C4-9824799B2999",
"versionEndExcluding": "2.0.0",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "409F92E2-6634-4596-BD66-FBD46E45E658",
"versionEndExcluding": "2.4.7",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "796C0FAD-172F-4186-847E-5312F3664734",
"versionEndExcluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53839127-7CF7-4BDC-BC21-29DF165B2BB0",
"versionEndExcluding": "5.0.3",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18A7C1CA-ED82-43FD-A3FC-68CC66D17B96",
"versionEndExcluding": "10.0.17",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06E47D63-52A7-4B6A-B90F-7692D854DECC",
"versionEndExcluding": "14.0.0",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C13F08D0-2AB9-4B27-B023-59B9F43626F6",
"versionEndExcluding": "14.4.7",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D0B97C7-D17B-4006-AFE6-707F1290E39E",
"versionEndExcluding": "17.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D13A9-529D-4523-BA83-AC217FF63808",
"versionEndExcluding": "18.0.6",
"versionStartIncluding": "18.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
},
{
"lang": "es",
"value": "La comparaci\u00f3n non-constant-time de tokens CSRF en el manejador de peticiones UIDL en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.13 (Vaadin versiones 10.0.0 hasta 10.0.16), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anteriores a 14), versiones 2.0.0 hasta 2.4.6 (Vaadin versiones 14.0.0 hasta 14.4.6), versiones 3.0.0 anteriores a 5.0.0 (Vaadin versiones 15 anteriores a 18) y versiones 5.0.0 hasta 5.0.2 (Vaadin versiones 18.0.0 hasta 18.0.5), permite al atacante adivinar un token de seguridad por medio de un ataque de sincronizaci\u00f3n"
}
],
"id": "CVE-2021-31404",
"lastModified": "2024-11-21T06:05:35.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 2.5,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.647",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/9875"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/9875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31404"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 04:03
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/4774 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2018-25007 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/4774 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2018-25007 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE0CFD8-425E-4422-A110-3E9C366A01CD",
"versionEndExcluding": "1.0.6",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B3539F7-683C-4C28-907E-8F9D4142CD0D",
"versionEndExcluding": "10.0.8",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0D9C6DC-5386-4D8A-AF43-0AD496F11B85",
"versionEndExcluding": "11.0.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
},
{
"lang": "es",
"value": "Una falta de comprobaci\u00f3n en el controlador de peticiones UIDL en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.5 (Vaadin versiones 10.0.0 hasta 10.0.7 y versiones 11.0.0 hasta 11.0.2), permiten al atacante actualizar los valores de propiedad del elemento por medio de mensaje de sincronizaci\u00f3n"
}
],
"id": "CVE-2018-25007",
"lastModified": "2024-11-21T04:03:20.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:07.933",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/4774"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/4774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2018-25007"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 04:39
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/pull/11644 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/framework/pull/11645 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2019-25028 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/11644 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/11645 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2019-25028 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C305DD7-93FC-4C39-A455-BCF80114B50E",
"versionEndExcluding": "7.7.20",
"versionStartIncluding": "7.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22187CAD-62AB-4093-9029-05C7D064BD4A",
"versionEndExcluding": "8.8.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
},
{
"lang": "es",
"value": "Una falta de un saneamiento de variables en el componente Grid en com.vaadin:vaadin-server versiones 7.4.0 hasta 7.7.19 (Vaadin versiones 7.4.0 hasta 7.7.19) y versiones 8.0.0 hasta 8.8.4 (Vaadin versiones 8.0.0 hasta 8.8.4 ), permite al atacante inyectar JavaScript malicioso por medio de un vector no especificado"
}
],
"id": "CVE-2019-25028",
"lastModified": "2024-11-21T04:39:46.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.267",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/11645"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2019-25028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/11645"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2019-25028"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-24 15:15
Modified
2024-11-21 06:59
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow-components/pull/3046 | Issue Tracking, Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2022-29567 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow-components/pull/3046 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2022-29567 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0579A51E-A3E6-4380-A378-55C53EC3768D",
"versionEndIncluding": "14.8.9",
"versionStartIncluding": "14.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7479D6-D6DF-4BE2-AD6C-F92DC502C6B3",
"versionEndIncluding": "22.0.15",
"versionStartIncluding": "22.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5BD69D-AF05-4A3E-AB1C-B3B3D1721E0E",
"versionEndIncluding": "23.0.8",
"versionStartIncluding": "23.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9E4809E3-6B53-484E-BE86-BB554D346C01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "F50971D5-297E-4558-9BE5-AD7378A4215F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "E561C638-33CB-4C1C-9A0B-FC590993C59F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F992E61E-EC84-44E9-90CE-113EF2B1EB05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F4382528-7D82-4339-8615-891C93D749C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "778333E4-27C5-4EA3-8EF8-48774CE67188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "A84E4454-773E-4735-B5D4-9F2E6537B8B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "9544B2F5-C913-4ECE-8028-8BFBFD36A2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "312D297B-ACBD-4764-80AD-5AB042DCE01D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto de un componente TreeGrid usa Object::toString como clave en la comunicaci\u00f3n con el cliente y el servidor en Vaadin versiones 14.8.5 hasta 14.8.9, 22.0.6 hasta 22.0.14, 23.0.0.beta2 hasta 23.0.8 y 23.1.0.alpha1 hasta 23.1.0.alpha4, resultando en una potencial divulgaci\u00f3n de informaci\u00f3n de valores que no deber\u00edan estar disponibles en el lado del cliente"
}
],
"id": "CVE-2022-29567",
"lastModified": "2024-11-21T06:59:20.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-24T15:15:08.220",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
},
{
"source": "security@vaadin.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2022-29567"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-06 13:15
Modified
2024-11-21 06:05
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/issues/12240 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/framework/pull/12241 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31409 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/issues/12240 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12241 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31409 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC3E374E-B6E2-4608-AF87-3CB540D9EA9F",
"versionEndIncluding": "8.12.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n no segura RegEx en el componente EmailValidator en com.vaadin:vaadin-compatibility-server versiones 8.0.0 hasta 8.12.4, (Vaadin versiones 8.0.0 hasta 8.12.4) permite a atacantes causar un consumo de recursos no controlado mediante el env\u00edo de direcciones de correo electr\u00f3nico maliciosas"
}
],
"id": "CVE-2021-31409",
"lastModified": "2024-11-21T06:05:36.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-06T13:15:12.633",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12241"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31409"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-13 11:15
Modified
2024-11-21 06:09
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/pull/12415 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33609 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12415 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33609 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B87713FE-14F4-4A75-B880-795A7CDABA69",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
},
{
"lang": "es",
"value": "Una falta de comprobaci\u00f3n en la clase DataCommunicator en com.vaadin:vaadin-server versiones 8.0.0 hasta 8.14.0 (Vaadin 8.0.0 hasta 8.14.0) permite a un atacante de red autenticado causar el agotamiento de la pila al solicitar demasiadas filas de datos"
}
],
"id": "CVE-2021-33609",
"lastModified": "2024-11-21T06:09:11.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-13T11:15:07.133",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12415"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33609"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-24 12:15
Modified
2024-11-21 06:05
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/11107 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31412 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/11107 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31412 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08B5A131-071A-4AEC-9F0B-8BF6D38DC85C",
"versionEndIncluding": "1.0.14",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F232EDE-AF65-4AA2-846E-3C7A34DA8928",
"versionEndIncluding": "1.4.0",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAF9CA63-A40E-474E-9BE9-8A86A1C2B129",
"versionEndIncluding": "2.6.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1551D996-DB49-4E39-9423-BD3CBA2029FA",
"versionEndIncluding": "6.0.9",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AAF5648-26F2-4D08-838B-3B3C2E0954D2",
"versionEndIncluding": "10.0.18",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85960C27-DA5B-4215-9C34-4789F32EF260",
"versionEndIncluding": "13.0.0",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33",
"versionEndIncluding": "14.6.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360",
"versionEndIncluding": "18.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29",
"versionEndIncluding": "19.0.8",
"versionStartIncluding": "19.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
},
{
"lang": "es",
"value": "Un saneamiento inapropiado de la ruta en la vista RouteNotFoundError predeterminada en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.14 (Vaadin versiones 10.0.0 hasta 10.0.18), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anterior a 14), versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14. 6.1), y versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un atacante de red enumerar todas las rutas disponibles por medio de una petici\u00f3n HTTP dise\u00f1ada cuando la aplicaci\u00f3n se ejecuta en modo de producci\u00f3n y un controlador personalizado para o NotFoundException es proporcionado"
}
],
"id": "CVE-2021-31412",
"lastModified": "2024-11-21T06:05:37.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-24T12:15:08.090",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11107"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31412"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1295"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 05:29
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/issues/7757 | Exploit, Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/framework/pull/12104 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2020-36320 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/issues/7757 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12104 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2020-36320 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB21C85C-04F4-464A-A519-5DAA5B1BE034",
"versionEndExcluding": "7.7.22",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n no segura de RegEx en la clase EmailValidator en com.vaadin: vaadin-server versiones 7.0.0 hasta 7.7.21 (Vaadin versiones 7.0.0 hasta 7.7.21) permite a atacantes causar un consumo de recursos no controlado al enviar direcciones de correo electr\u00f3nico maliciosas"
}
],
"id": "CVE-2020-36320",
"lastModified": "2024-11-21T05:29:16.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.360",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12104"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36320"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 04:39
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/5498 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2019-25027 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/5498 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2019-25027 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "496EDAA4-40B8-45BD-A368-D03C8FFE3AAA",
"versionEndExcluding": "1.0.11",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6B2ACB9-8B2E-4F8F-8CB6-565C578EB4EB",
"versionEndExcluding": "1.4.3",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58A54FE8-E0DE-403E-8D47-7E74B2E1D989",
"versionEndExcluding": "10.0.14",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD9FF41D-6860-4F1D-9ECD-DC4B61F78998",
"versionEndExcluding": "13.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
},
{
"lang": "es",
"value": "Una falta de un saneamiento de salida en la visualizaci\u00f3n predeterminada de la funci\u00f3n RouteNotFoundError en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.10 (Vaadin versiones 10.0.0 hasta 10.0.13) y versiones 1.1.0 hasta 1.4.2 (Vaadin versiones 11.0.0 hasta 13.0. 5), permite al atacante ejecutar JavaScript malicioso por medio de una URL dise\u00f1ada"
}
],
"id": "CVE-2019-25027",
"lastModified": "2024-11-21T04:39:46.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:07.987",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/5498"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/5498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2019-25027"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-81"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-01-20 19:00
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CD6B791-15EB-417E-87B1-7F3F133EB97C",
"versionEndIncluding": "6.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Vaadin anterior a v6.4.9, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores desconocidos relacionados con la p\u00e1gina index."
}
],
"id": "CVE-2011-0509",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-01-20T19:00:11.053",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://dev.vaadin.com/ticket/6257"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/70398"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42879"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/45779"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://dev.vaadin.com/ticket/6257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/70398"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/45779"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64626"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-02 10:15
Modified
2024-11-21 06:09
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/vaadin-menu-bar/pull/126 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33611 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/vaadin-menu-bar/pull/126 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33611 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin | * | |
| vaadin | vaadin-menu-bar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1ACE9CEA-D935-4961-81D6-B886DB4B0348",
"versionEndIncluding": "14.4.4",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin-menu-bar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F9D779-8982-4D8D-BE86-14D860337241",
"versionEndIncluding": "1.2.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
},
{
"lang": "es",
"value": "Una falta de saneo de la salida en las fuentes de prueba en org.webjars.bowergithub.vaadin:vaadin-menu-bar versiones 1.0.0 hasta 1.2.0 (Vaadin versiones 14.0.0 hasta 14.4.4), permite a atacantes remotos ejecutar JavaScript malicioso en el navegador al abrir una URL dise\u00f1ada"
}
],
"id": "CVE-2021-33611",
"lastModified": "2024-11-21T06:09:11.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-02T10:15:07.683",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
},
{
"source": "security@vaadin.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33611"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-22 13:15
Modified
2024-11-21 07:49
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12F1F29D-69E8-406E-BB2F-EA3F141CECD7",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78FA5E6A-3D73-4CB9-8724-B7DBFC48A1B7",
"versionEndExcluding": "14.10.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0719ACD-F9D0-4E28-82BC-AEFE4EB19729",
"versionEndIncluding": "22.0.28",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9346B94F-48B9-429C-8976-DEC37B7D00F4",
"versionEndExcluding": "23.3.14",
"versionStartIncluding": "23.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48E0C567-8C7F-4572-BC4F-F174C6058974",
"versionEndExcluding": "24.0.7",
"versionStartIncluding": "24.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5131784E-6951-4BA6-A473-10BE06E3E0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "07747F12-9827-4543-B66F-253326EC247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "BD57A5F3-CB86-4B35-823B-DCAEB163D4CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EB94F579-CDCE-4FA4-BCAF-7747813FB7A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "4464403F-682A-4506-99E7-2CC4E4288C0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "ECF91FB7-2806-40C1-B27D-461B6836AC7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4ECE8939-9AB8-44AB-8ECC-96844410A973",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "30853513-0CB0-4AD2-B351-635834EA5C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6EA983BC-02B6-4F2F-A80B-6505529F8690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "520B32C2-8D7C-4C6B-8384-4AD5EE575492",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "32B73D72-C04F-4771-AC85-B6369A98685D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"id": "CVE-2023-25500",
"lastModified": "2024-11-21T07:49:37.627",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T13:15:09.737",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2023-25500"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-24 12:15
Modified
2024-11-21 06:09
Severity ?
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/11099 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33604 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/11099 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33604 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | flow-server | * | |
| vaadin | flow-server | * | |
| vaadin | flow-server | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFD551C5-B7BB-45F2-BBDD-B7181E18B3E0",
"versionEndIncluding": "2.6.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF29305-886B-45FA-A98D-B9C2524B4891",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB09AE9F-4900-4A18-8071-A5B0E713335F",
"versionEndIncluding": "6.0.9",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33",
"versionEndIncluding": "14.6.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360",
"versionEndIncluding": "18.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29",
"versionEndIncluding": "19.0.8",
"versionStartIncluding": "19.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
},
{
"lang": "es",
"value": "Un error de codificaci\u00f3n de URL en el manejador de modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14.6.1), versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un usuario local ejecutar c\u00f3digo JavaScript arbitrario al abrir una URL dise\u00f1ada en el navegador"
}
],
"id": "CVE-2021-33604",
"lastModified": "2024-11-21T06:09:11.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 1.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-24T12:15:08.157",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11099"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33604"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-172"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 06:05
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/pull/12188 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/framework/pull/12190 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31403 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12188 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12190 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31403 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C38D198-2ABE-4074-A889-282E7938E76D",
"versionEndExcluding": "7.7.24",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC04E83C-6C04-4BAD-AF0F-4B91F067B65C",
"versionEndExcluding": "8.12.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
},
{
"lang": "es",
"value": "La comparaci\u00f3n non-constant-time de tokens CSRF en el controlador de peticiones UIDL en com.vaadin:vaadin-server versiones 7.0.0 hasta 7.7.23 (Vaadin versiones 7.0.0 hasta 7.7.23) y versiones 8.0.0 hasta 8.12.2 (Vaadin versiones 8.0.0 hasta 8.12.2), permite al atacante adivinar un token de seguridad por medio de un ataque de sincronizaci\u00f3n"
}
],
"id": "CVE-2021-31403",
"lastModified": "2024-11-21T06:05:35.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 2.5,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.600",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12188"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31403"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 05:29
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/8016 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/flow/pull/8051 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2020-36319 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/8016 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/8051 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2020-36319 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52FD9743-E6D2-4D76-BD66-9ACD84CBD5DB",
"versionEndExcluding": "3.0.6",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A40CF3E-711F-485B-B69B-3C9042048D54",
"versionEndExcluding": "15.0.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
},
{
"lang": "es",
"value": "Una configuraci\u00f3n no segura del ObjectMapper predeterminado en com.vaadin:flow-server versiones 3.0.0 hasta 3.0.5 (Vaadin versiones 15.0.0 hasta 15.0.4), pueden exponer datos confidenciales si la aplicaci\u00f3n tambi\u00e9n usa, por ejemplo, @RestController"
}
],
"id": "CVE-2020-36319",
"lastModified": "2024-11-21T05:29:16.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.317",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/8051"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/8051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36319"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 06:05
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/10229 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/flow/pull/10269 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/osgi/issues/50 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31407 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10229 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10269 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/osgi/issues/50 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31407 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E3DE3D6-5F47-4347-AD2C-B6ACCE0AE0A6",
"versionEndExcluding": "2.4.8",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCA508EE-E259-4B03-9427-71B87478417C",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86C5C2D8-20E4-47F1-907B-5A8439285777",
"versionEndExcluding": "14.4.10",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B26A2E69-D944-4470-A8C3-C5E80DDECFF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la integraci\u00f3n de OSGi en com.vaadin:flow-server versiones 1.2.0 hasta 2.4.7 (Vaadin versiones 12.0.0 hasta 14.4.9) y versiones 6.0.0 hasta 6.0.1 (Vaadin versi\u00f3n 19.0.0), permite al atacante acceder a las clases y recursos de aplicaci\u00f3n en el servidor por medio de una petici\u00f3n HTTP dise\u00f1ada"
}
],
"id": "CVE-2021-31407",
"lastModified": "2024-11-21T06:05:36.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.767",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31407"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-402"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 17:15
Modified
2024-11-21 06:05
Severity ?
6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/10577 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31408 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10577 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31408 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "138C0A40-EC8F-4F6F-B907-1F5282B83958",
"versionEndExcluding": "6.0.0",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9CCDECF-655E-48E5-ADEC-F5189C6E043D",
"versionEndExcluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74A5FA0C-C1AE-496E-8601-A9CC193F750E",
"versionEndExcluding": "19.0.4",
"versionStartIncluding": "19.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:18.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B0C90C81-A26F-4686-BC0C-6D86C3620F5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
},
{
"lang": "es",
"value": "El asistente Authentication.logout() en com.vaadin:flow-client versiones 5.0.0 anteriores a 6.0.0 (Vaadin 18) y versiones 6.0.0 hasta 6.0.4 (versiones Vaadin 19.0.0 hasta 19.0.3) usan un m\u00e9todo HTTP incorrecto , que, en combinaci\u00f3n con la protecci\u00f3n CSRF de Spring Security, permite a atacantes locales acceder a endpoints de Fusion despu\u00e9s de que el usuario intenta cerrar la sesi\u00f3n"
}
],
"id": "CVE-2021-31408",
"lastModified": "2024-11-21T06:05:36.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.2,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T17:15:08.260",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10577"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10577"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31408"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 05:29
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/9392 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2020-36321 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/9392 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2020-36321 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9F825A6-D1D8-4CA3-8595-1DEE1B99AF50",
"versionEndExcluding": "2.4.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "796C0FAD-172F-4186-847E-5312F3664734",
"versionEndExcluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A09E99C-3093-4D42-A347-15364DB56297",
"versionEndExcluding": "14.4.3",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D41F68B2-1AD5-4800-8085-8CE37869946C",
"versionEndExcluding": "18.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n incorrecta de URL en el controlador del modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.4.1 (Vaadin versiones 14.0.0 hasta 14.4.2) y versiones 3.0 anteriores a 5.0 (Vaadin versiones 15 anteriores a 18), permiten al atacante pedir archivos arbitrarios almacenados fuera de la carpeta de recursos de la interfaz prevista"
}
],
"id": "CVE-2020-36321",
"lastModified": "2024-11-21T05:29:16.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.403",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/9392"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/9392"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2020-36321"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-22 13:15
Modified
2024-11-21 07:49
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12F1F29D-69E8-406E-BB2F-EA3F141CECD7",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B100421F-58C7-454A-949C-338C4B990925",
"versionEndExcluding": "14.10.1",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0719ACD-F9D0-4E28-82BC-AEFE4EB19729",
"versionEndIncluding": "22.0.28",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74BA613E-932F-45A3-88D2-EA8B42158429",
"versionEndExcluding": "23.3.13",
"versionStartIncluding": "23.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7402D6-2F33-4352-9E70-16EA3C45B795",
"versionEndExcluding": "24.0.6",
"versionStartIncluding": "24.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5131784E-6951-4BA6-A473-10BE06E3E0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "07747F12-9827-4543-B66F-253326EC247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "BD57A5F3-CB86-4B35-823B-DCAEB163D4CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EB94F579-CDCE-4FA4-BCAF-7747813FB7A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "4464403F-682A-4506-99E7-2CC4E4288C0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "ECF91FB7-2806-40C1-B27D-461B6836AC7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4ECE8939-9AB8-44AB-8ECC-96844410A973",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
}
],
"id": "CVE-2023-25499",
"lastModified": "2024-11-21T07:49:37.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T13:15:09.660",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/15885"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/15885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-05 19:15
Modified
2024-11-21 06:05
Severity ?
6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/10640 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31411 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10640 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31411 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDE9ACA-7666-444D-8615-A164C0E0A8A4",
"versionEndExcluding": "2.5.3",
"versionStartIncluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5DCFE72-3FCF-4ED7-A8B3-A0DBE48AE3A5",
"versionEndIncluding": "6.0.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B77BD429-7BB9-454A-A2B2-71081416E416",
"versionEndExcluding": "14.5.3",
"versionStartIncluding": "14.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B1E8A6A-57AD-41FA-8768-9B60C356E78B",
"versionEndExcluding": "19.0.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
},
{
"lang": "es",
"value": "Un uso de directorio temporal no seguro en la funcionalidad frontend build de com.vaadin:flow-server versiones 2.0.9 hasta 2.5.2 (Vaadin versiones 14.0.3 hasta Vaadin 14.5.2), versiones 3.0 anteriores 6.0 (Vaadin versiones 15 anteriores a 19) y versiones 6.0 .0 hasta 6.0.5 (Vaadin versiones 19.0.0 hasta 19.0.4), permite a usuarios locales inyectar c\u00f3digo malicioso en los recursos frontend durante la reconstrucci\u00f3n de la aplicaci\u00f3n"
}
],
"id": "CVE-2021-31411",
"lastModified": "2024-11-21T06:05:36.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.2,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T19:15:08.777",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10640"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31411"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-379"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-23 16:15
Modified
2024-11-21 06:05
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/10157 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31406 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10157 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31406 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A738EE8-ED33-4DF3-9B27-4BEDA32DAF13",
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E257F9BA-A8BF-419A-B7C9-49815A837DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56B0887F-B5F8-49C2-8D19-C72F99C053D0",
"versionEndExcluding": "18.0.7",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B26A2E69-D944-4470-A8C3-C5E80DDECFF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
},
{
"lang": "es",
"value": "La comparaci\u00f3n non-constant-time de tokens CSRF en el manejador de peticiones de endpoint en com.vaadin:flow-server versiones 3.0.0 hasta 5.0.3 (Vaadin versiones 15.0.0 hasta 18.0.6) y com.vaadin:fusion-endpoint versi\u00f3n 6.0.0 (Vaadin versi\u00f3n 19.0.0), permite al atacante adivinar un token de seguridad para los endpoints de Fusion por medio de un ataque de sincronizaci\u00f3n"
}
],
"id": "CVE-2021-31406",
"lastModified": "2024-11-21T06:05:35.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 2.5,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-23T16:15:08.727",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10157"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10157"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31406"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-25 13:15
Modified
2024-11-21 06:09
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow-components/pull/1903 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33605 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow-components/pull/1903 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33605 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin-checkbox-flow | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin-checkbox-flow | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin-checkbox-flow | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin-checkbox-flow | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin-checkbox-flow | * | |
| vaadin | vaadin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79D9299A-4A66-42E8-A044-FF9D9A559AC1",
"versionEndExcluding": "2.0.0",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6979479B-0708-439D-AC2F-62807ACA2B95",
"versionEndExcluding": "14.0.0",
"versionStartIncluding": "12.0.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD0AABC-FA18-431F-862A-86BB888B9187",
"versionEndExcluding": "3.0.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F87F8662-9F8C-438A-A364-2F9BE35584B4",
"versionEndExcluding": "14.5.0",
"versionStartIncluding": "14.0.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "818D7592-155A-40AE-BDFF-0A2B03D8F15A",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C540D0C-0B64-49FB-87B7-9D856C31154F",
"versionEndExcluding": "17.0.11",
"versionStartIncluding": "15.0.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E3BD92E-4CE4-45AB-9197-61E0DCE83A0E",
"versionEndExcluding": "14.6.7",
"versionStartIncluding": "14.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "001E8DD4-AAAF-4B6F-B46E-FECC92642B16",
"versionEndExcluding": "14.6.7",
"versionStartIncluding": "14.5.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12EFCD71-0838-472D-BCF5-62839EB5D4FC",
"versionEndExcluding": "20.0.5",
"versionStartIncluding": "18.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70F531B2-ED8F-4157-82B6-A31F06A82F34",
"versionEndExcluding": "20.0.5",
"versionStartIncluding": "18.0.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n inapropiada en CheckboxGroup en las versiones: com.vaadin:vaadin-checkbox-flow 1.2.0 anterior a 2.0.0 (Vaadin 12.0.0 anterior a 14.0.0), 2.0.0 anterior a 3.0.0 (Vaadin 14.0.0 anterior a 14.5.0), 3.0.0 hasta 4.0.1 (Vaadin 15.0.0 hasta 17.0. 11), 14.5.0 hasta 14.6.7 (Vaadin 14.5.0 hasta 14.6.7), y 18.0.0 hasta 20.0.5 (Vaadin 18.0.0 hasta 20.0.5) permite a atacantes modificar el valor de un Checkbox deshabilitado dentro de un componente CheckboxGroup habilitado por medio de vectores no especificados."
}
],
"id": "CVE-2021-33605",
"lastModified": "2024-11-21T06:09:11.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-25T13:15:07.270",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33605"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-25500 (GCVE-0-2023-25500)
Vulnerability from cvelistv5
Published
2023-06-22 12:49
Modified
2024-12-05 19:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | vaadin | vaadin |
Version: 10.0.0 Version: 11.0.0 Version: 15.0.0 Version: 23.0.0 Version: 24.0.0 Version: 24.1.0.alpha1 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:59:24.082540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:59:30.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.1",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.8",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.13",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc2",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"vendor": "flow",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.9.2",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc3",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-06-22T13:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T13:14:15.174Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25500",
"datePublished": "2023-06-22T12:49:06.603Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:59:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31406 (GCVE-0-2021-31406)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-17 00:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Summary
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 19.0.0 Version: 15.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-03-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10157"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"ID": "CVE-2021-31406",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.6 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.3 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "6.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31406",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"name": "https://github.com/vaadin/flow/pull/10157",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10157"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31406",
"datePublished": "2021-04-23T16:05:41.375797Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T00:02:31.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31404 (GCVE-0-2021-31404)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 23:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 10.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
},
{
"at": "14.0.0",
"status": "unaffected"
},
{
"at": "14.0.0",
"status": "affected"
},
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
},
{
"at": "18.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
},
{
"at": "2.0.0",
"status": "unaffected"
},
{
"at": "2.0.0",
"status": "affected"
},
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
},
{
"at": "5.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9875"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"ID": "CVE-2021-31404",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.16 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "18.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.6 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "5.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31404",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"name": "https://github.com/vaadin/flow/pull/9875",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9875"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31404",
"datePublished": "2021-04-23T16:05:41.141706Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T23:46:26.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31411 (GCVE-0-2021-31411)
Vulnerability from cvelistv5
Published
2021-05-05 18:15
Modified
2024-09-16 18:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 14.0.3 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.3",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:15:13",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-05-04T08:17:00.000Z",
"ID": "CVE-2021-31411",
"STATE": "PUBLIC",
"TITLE": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.3"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.9"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31411",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"name": "https://github.com/vaadin/flow/pull/10640",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10640"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31411",
"datePublished": "2021-05-05T18:15:13.220834Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T18:08:17.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25027 (GCVE-0-2019-25027)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-17 01:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-81 - Improper Neutralization of Script in an Error Message Web Page
Summary
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 10.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "1.1.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-81",
"description": "CWE-81 Improper Neutralization of Script in an Error Message Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/5498"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"ID": "CVE-2019-25027",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.13 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "13.0.5 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.10 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.4.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2019-25027",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"name": "https://github.com/vaadin/flow/pull/5498",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/5498"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2019-25027",
"datePublished": "2021-04-23T16:05:40.442066Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-17T01:15:38.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31405 (GCVE-0-2021-31405)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-17 02:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 14.0.6 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.726Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.6",
"versionType": "custom"
}
]
},
{
"product": "vaadin-text-field-flow",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.4",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/442"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"ID": "CVE-2021-31405",
"STATE": "PUBLIC",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.6"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.3 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "17.0.10 +1"
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.4"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.3.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "4.0.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31405",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"name": "https://github.com/vaadin/flow-components/pull/442",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/442"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31405",
"datePublished": "2021-04-23T16:05:41.259237Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T02:32:47.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31412 (GCVE-0-2021-31412)
Vulnerability from cvelistv5
Published
2021-06-24 11:33
Modified
2024-09-16 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 10.0.0 < unspecified Version: unspecified < Version: 11.0.0 < unspecified Version: unspecified < 14.0.0 Version: 14.0.0 < unspecified Version: unspecified < Version: 15.0.0 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295 Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:33:10",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:31:00.000Z",
"ID": "CVE-2021-31412",
"STATE": "PUBLIC",
"TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.18"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "1.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1295 Debug Messages Revealing Unnecessary Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31412",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"name": "https://github.com/vaadin/flow/pull/11107",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11107"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31412",
"datePublished": "2021-06-24T11:33:10.535178Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T16:18:47.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29567 (GCVE-0-2022-29567)
Vulnerability from cvelistv5
Published
2022-05-24 14:20
Modified
2024-09-16 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | vaadin |
Version: 14.8.5 < unspecified Version: unspecified < Version: 22.0.6 < unspecified Version: unspecified < Version: 23.0.0.beta2 < unspecified Version: unspecified < Version: 23.1.0.alpha1 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:06.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-grid-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:20:19",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Possible information disclosure inside TreeGrid component with default data provider",
"workarounds": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2022-05-24T10:44:00.000Z",
"ID": "CVE-2022-29567",
"STATE": "PUBLIC",
"TITLE": "Possible information disclosure inside TreeGrid component with default data provider"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
},
{
"product_name": "vaadin-grid-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2022-29567",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"name": "https://github.com/vaadin/flow-components/pull/3046",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2022-29567",
"datePublished": "2022-05-24T14:20:19.452600Z",
"dateReserved": "2022-04-21T00:00:00",
"dateUpdated": "2024-09-16T18:09:13.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25028 (GCVE-0-2019-25028)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 20:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Summary
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 7.4.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:18.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2019-25028"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/11645"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "8.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "8.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by MATE Marketing Technologie"
}
],
"datePublic": "2019-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2019-25028"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/pull/11645"
}
],
"source": {
"discovery": "USER"
},
"title": "Stored cross-site scripting in Grid component in Vaadin 7 and 8",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-07-04T08:17:00.000Z",
"ID": "CVE-2019-25028",
"STATE": "PUBLIC",
"TITLE": "Stored cross-site scripting in Grid component in Vaadin 7 and 8"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.4.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.19 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.8.4 +1"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.4.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.19 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.8.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by MATE Marketing Technologie"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2019-25028",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25028"
},
{
"name": "https://github.com/vaadin/framework/pull/11644",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"name": "https://github.com/vaadin/framework/pull/11645",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/11645"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "USER"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2019-25028",
"datePublished": "2021-04-23T16:05:40.548950Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-16T20:57:32.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36321 (GCVE-0-2020-36321)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-17 00:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 14.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "18.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "5.0.0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/9392"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"ID": "CVE-2020-36321",
"STATE": "PUBLIC",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "18.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.1 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "5.0.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36321",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"name": "https://github.com/vaadin/flow/pull/9392",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9392"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36321",
"datePublished": "2021-04-23T16:05:40.889444Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-17T00:45:59.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-25007 (GCVE-0-2018-25007)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 18:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 10.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "11.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-11-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/4774"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"ID": "CVE-2018-25007",
"STATE": "PUBLIC",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "10.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "10.0.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "11.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "11.0.2 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "1.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2018-25007",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"name": "https://github.com/vaadin/flow/pull/4774",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/4774"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2018-25007",
"datePublished": "2021-04-23T16:05:40.338203Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-16T18:18:49.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31407 (GCVE-0-2021-31407)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 17:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Summary
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 19.0.0 Version: 12.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"status": "affected",
"version": "19.0.0"
},
{
"lessThan": "*",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10269"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"ID": "CVE-2021-31407",
"STATE": "PUBLIC",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "12.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.9 +1"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.2.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.7 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.1 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31407",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "https://github.com/vaadin/osgi/issues/50",
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"name": "https://github.com/vaadin/flow/pull/10229",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "https://github.com/vaadin/flow/pull/10269",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31407",
"datePublished": "2021-04-23T16:05:41.485696Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T17:17:43.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25499 (GCVE-0-2023-25499)
Vulnerability from cvelistv5
Published
2023-06-22 12:47
Modified
2024-12-05 19:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | vaadin | vaadin |
Version: 10.0.0 Version: 11.0.0 Version: 15.0.0 Version: 23.0.0 Version: 24.0.0 Version: 24.1.0.alpha1 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:58:40.795727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:58:49.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.22",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.0",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.28",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.5",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "24.0.0.beta1",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.8.9",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "3.3.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.10",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kim Lepp\u00e4nen"
}
],
"datePublic": "2023-06-21T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T12:47:57.760Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible information disclosure in non visible components",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25499",
"datePublished": "2023-06-22T12:47:57.760Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:58:49.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36319 (GCVE-0-2020-36319)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 23:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 15.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"datePublic": "2020-04-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/8051"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Potential sensitive data exposure in applications using Vaadin 15",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"ID": "CVE-2020-36319",
"STATE": "PUBLIC",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "15.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "3.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36319",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"name": "https://github.com/vaadin/flow/pull/8016",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"name": "https://github.com/vaadin/flow/pull/8051",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8051"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36319",
"datePublished": "2021-04-23T16:05:40.661202Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-16T23:45:49.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31403 (GCVE-0-2021-31403)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 22:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Information Exposure Through Timing Discrepancy
Summary
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 7.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31403"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12188"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "8.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "8.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"datePublic": "2021-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31403"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/pull/12188"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-12T09:17:00.000Z",
"ID": "CVE-2021-31403",
"STATE": "PUBLIC",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.23 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.2 +1"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.21 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.2 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31403",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31403"
},
{
"name": "https://github.com/vaadin/framework/pull/12190",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"name": "https://github.com/vaadin/framework/pull/12188",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12188"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31403",
"datePublished": "2021-04-23T16:05:41.014749Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T22:08:44.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33605 (GCVE-0-2021-33605)
Vulnerability from cvelistv5
Published
2021-08-25 12:12
Modified
2024-09-17 02:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 12.0.0 < unspecified Version: unspecified < 14.0.0 Version: 14.0.0 < unspecified Version: unspecified < 14.5.0 Version: 15.0.0 < unspecified Version: unspecified < Version: 14.5.0 < unspecified Version: unspecified < Version: 18.0.0 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThan": "14.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "17.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-checkbox-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T12:12:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-08-25T11:46:00.000Z",
"ID": "CVE-2021-33605",
"STATE": "PUBLIC",
"TITLE": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "12.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.5.0"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "17.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
},
{
"product_name": "vaadin-checkbox-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.2.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c",
"version_value": "3.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "4.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33605",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"name": "https://github.com/vaadin/flow-components/pull/1903",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33605",
"datePublished": "2021-08-25T12:12:41.760458Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:53:05.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31409 (GCVE-0-2021-31409)
Vulnerability from cvelistv5
Published
2021-05-05 19:07
Modified
2024-09-17 04:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 8.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-compatibility-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"datePublic": "2021-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T19:07:30",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-30T08:17:00.000Z",
"ID": "CVE-2021-31409",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
},
{
"product_name": "vaadin-compatibility-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31409",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"name": "https://github.com/vaadin/framework/issues/12240",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"name": "https://github.com/vaadin/framework/pull/12241",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12241"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31409",
"datePublished": "2021-05-05T19:07:30.536900Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T04:24:18.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33611 (GCVE-0-2021-33611)
Vulnerability from cvelistv5
Published
2021-11-02 10:06
Modified
2024-09-17 02:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 14.0.0 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:21.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-menu-bar",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-02T10:06:56",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-11-01T09:45:00.000Z",
"ID": "CVE-2021-33611",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.4.4"
}
]
}
},
{
"product_name": "vaadin-menu-bar",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.2.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33611",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"name": "https://github.com/vaadin/vaadin-menu-bar/pull/126",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33611",
"datePublished": "2021-11-02T10:06:56.037780Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:32:32.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33604 (GCVE-0-2021-33604)
Vulnerability from cvelistv5
Published
2021-06-24 11:16
Modified
2024-09-17 03:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-172 - Encoding Error
Summary
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 14.0.0 < unspecified Version: unspecified < Version: 15.0.0 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172 Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:16:27",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:55:00.000Z",
"ID": "CVE-2021-33604",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-172 Encoding Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33604",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"name": "https://github.com/vaadin/flow/pull/11099",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11099"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33604",
"datePublished": "2021-06-24T11:16:27.149618Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T03:13:22.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31408 (GCVE-0-2021-31408)
Vulnerability from cvelistv5
Published
2021-04-23 16:07
Modified
2024-09-17 02:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 18.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
}
]
},
{
"product": "flow-client",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:07:16",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow/pull/10577"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-20T08:17:00.000Z",
"ID": "CVE-2021-31408",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "18.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.3 +1"
}
]
}
},
{
"product_name": "flow-client",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "5.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31408",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"name": "https://github.com/vaadin/flow/pull/10577",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10577"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31408",
"datePublished": "2021-04-23T16:07:16.629224Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T02:06:19.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-0509 (GCVE-0-2011-0509)
Vulnerability from cvelistv5
Published
2011-01-20 18:00
Modified
2024-08-06 21:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:58:25.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45779",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45779"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://dev.vaadin.com/ticket/6257"
},
{
"name": "70398",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/70398"
},
{
"name": "42879",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42879"
},
{
"name": "vaadin-unspec-xss(64626)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64626"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "45779",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45779"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://dev.vaadin.com/ticket/6257"
},
{
"name": "70398",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/70398"
},
{
"name": "42879",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42879"
},
{
"name": "vaadin-unspec-xss(64626)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64626"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-0509",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45779",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45779"
},
{
"name": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html",
"refsource": "CONFIRM",
"url": "http://vaadin.com/download/release/6.4/6.4.9/release-notes.html"
},
{
"name": "http://dev.vaadin.com/ticket/6257",
"refsource": "MISC",
"url": "http://dev.vaadin.com/ticket/6257"
},
{
"name": "70398",
"refsource": "OSVDB",
"url": "http://osvdb.org/70398"
},
{
"name": "42879",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42879"
},
{
"name": "vaadin-unspec-xss(64626)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64626"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-0509",
"datePublished": "2011-01-20T18:00:00",
"dateReserved": "2011-01-20T00:00:00",
"dateUpdated": "2024-08-06T21:58:25.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33609 (GCVE-0-2021-33609)
Vulnerability from cvelistv5
Published
2021-10-13 10:58
Modified
2024-09-16 21:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 8.0.0 < unspecified Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-13T10:58:35",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of service in DataCommunicator class in Vaadin 8",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-10-13T10:09:00.000Z",
"ID": "CVE-2021-33609",
"STATE": "PUBLIC",
"TITLE": "Denial of service in DataCommunicator class in Vaadin 8"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33609",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"name": "https://github.com/vaadin/framework/pull/12415",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12415"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33609",
"datePublished": "2021-10-13T10:58:35.736529Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-16T21:04:18.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36320 (GCVE-0-2020-36320)
Vulnerability from cvelistv5
Published
2021-04-23 16:05
Modified
2024-09-16 16:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Vaadin | Vaadin |
Version: 7.0.0 < * |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2020-36320"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T16:05:40",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2020-36320"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/framework/pull/12104"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-10-08T08:17:00.000Z",
"ID": "CVE-2020-36320",
"STATE": "PUBLIC",
"TITLE": "Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.21 +1"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "7.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "7.7.21 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2020-36320",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36320"
},
{
"name": "https://github.com/vaadin/framework/issues/7757",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"name": "https://github.com/vaadin/framework/pull/12104",
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12104"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2020-36320",
"datePublished": "2021-04-23T16:05:40.779317Z",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-09-16T16:58:41.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}