gsd-2021-31407
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-31407",
"description": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"id": "GSD-2021-31407"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-31407"
],
"details": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"id": "GSD-2021-31407",
"modified": "2023-12-13T01:23:13.471340Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"ID": "CVE-2021-31407",
"STATE": "PUBLIC",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "12.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.9"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.2.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.7"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31407",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "https://github.com/vaadin/osgi/issues/50",
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"name": "https://github.com/vaadin/flow/pull/10229",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "https://github.com/vaadin/flow/pull/10269",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[12.0.0,14.4.10),[19.0.0,19.0.1)",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, all versions starting from 19.0.0 before 19.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "A vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"14.4.10",
"19.0.1"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 14.4.10 before 19.0.0, all versions starting from 19.0.1",
"package_slug": "maven/com.vaadin/flow-client",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 14.4.10 or 19.0.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "e34f850f-caaa-4589-8ae9-0371829cde63"
},
{
"affected_range": "[1.2.0,2.4.7],[6.0.0,6.0.1]",
"affected_versions": "All versions starting from 1.2.0 through 2.4.7, all versions starting from 6.0.0 through 6.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "Vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"2.4.8",
"6.0.2"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 2.4.8 before 6.0.0, all versions starting from 6.0.2",
"package_slug": "maven/com.vaadin/flow-server",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 2.4.8, 6.0.2, or higher.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "c2ababc8-b56b-4828-b972-77da7fbeea79"
},
{
"affected_range": "[12.0.0,14.4.10),[19.0.0]",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, version 19.0.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2021-05-05",
"description": "Vulnerability in OSGi integration in com.vaadin:flow-server (Vaad ) (Vaad ) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "",
"package_slug": "maven/com.vaadin/vaadin-compatibility-server",
"pubdate": "2021-04-23",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "5881ce34-ec65-4c24-8b8e-4131d78d6320"
},
{
"affected_range": "[12.0.0,14.4.10),[19.0.0,19.0.1)",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, all versions starting from 19.0.0 before 19.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"14.4.10",
"19.0.1"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 14.4.10 before 15.0.0, all versions starting from 19.0.1",
"package_slug": "maven/com.vaadin/vaadin-server",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 14.4.10 or 19.0.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "11516441-6333-47b7-b2d8-8ef318c21580"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.8",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "14.4.10",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"ID": "CVE-2021-31407"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/osgi/issues/50"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-08-12T18:02Z",
"publishedDate": "2021-04-23T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…