Search criteria
70 vulnerabilities found for vaadin by vaadin
CVE-2025-9467 (GCVE-0-2025-9467)
Vulnerability from cvelistv5 – Published: 2025-09-04 06:15 – Updated: 2025-09-04 13:41
VLAI?
Summary
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6
Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
14.0.0 , ≤ 14.13.0
(maven)
Affected: 23.0.0 , ≤ 23.6.1 (maven) Affected: 24.0.0 , ≤ 24.7.6 (maven) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:28:46.739599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:41:24.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-server",
"product": "framework",
"repo": "https://github.com/vaadin/framework",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "7.7.47",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "8.28.1",
"status": "affected",
"version": "8.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-upload-flow",
"product": "vaadin-upload-flow",
"repo": "https://github.com/vaadin/flow-components",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.47\u003cbr\u003eVaadin 8.0.0 - 8.28.1\u003cbr\u003eVaadin 14.0.0 - 14.13.0\u003cbr\u003eVaadin 23.0.0 - 23.6.1\u003cbr\u003eVaadin 24.0.0 - 24.7.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.48\u003cbr\u003eUpgrade to 8.28.2\u003cbr\u003eUpgrade to 14.13.1\u003cbr\u003eUpgrade to 23.6.2\u003cbr\u003eUpgrade to 24.7.7 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.47\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22657.7.48\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.28.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22658.28.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e14.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e2.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n\u22657.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n\u22658.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n\u226524.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n\u226524.7.7"
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T11:58:03.368Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2025-9467"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possibility to bypass file upload validation on the server-side",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "This issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2025-9467",
"datePublished": "2025-09-04T06:15:47.336Z",
"dateReserved": "2025-08-25T14:57:19.966Z",
"dateUpdated": "2025-09-04T13:41:24.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25500 (GCVE-0-2023-25500)
Vulnerability from cvelistv5 – Published: 2023-06-22 12:49 – Updated: 2024-12-05 19:59
VLAI?
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
10.0.0 , ≤ 10.0.23
(maven)
Affected: 11.0.0 , ≤ 14.10.1 (maven) Affected: 15.0.0 , ≤ 22.0.8 (maven) Affected: 23.0.0 , ≤ 23.3.13 (maven) Affected: 24.0.0 , ≤ 24.0.6 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.rc2 (maven) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:59:24.082540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:59:30.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.1",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.8",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.13",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc2",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"vendor": "flow",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.9.2",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc3",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-06-22T13:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T13:14:15.174Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25500",
"datePublished": "2023-06-22T12:49:06.603Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:59:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25499 (GCVE-0-2023-25499)
Vulnerability from cvelistv5 – Published: 2023-06-22 12:47 – Updated: 2024-12-05 19:58
VLAI?
Summary
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
10.0.0 , ≤ 10.0.22
(maven)
Affected: 11.0.0 , ≤ 14.10.0 (maven) Affected: 15.0.0 , ≤ 22.0.28 (maven) Affected: 23.0.0 , ≤ 23.3.12 (maven) Affected: 24.0.0 , ≤ 24.0.5 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.beta1 (maven) |
|||||||
|
|||||||||
Credits
Kim Leppänen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:58:40.795727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:58:49.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.22",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.0",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.28",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.5",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "24.0.0.beta1",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.8.9",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "3.3.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.10",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kim Lepp\u00e4nen"
}
],
"datePublic": "2023-06-21T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T12:47:57.760Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible information disclosure in non visible components",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25499",
"datePublished": "2023-06-22T12:47:57.760Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:58:49.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29567 (GCVE-0-2022-29567)
Vulnerability from cvelistv5 – Published: 2022-05-24 14:20 – Updated: 2024-09-16 18:09
VLAI?
Summary
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Information Exposure
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | vaadin |
Affected:
14.8.5 , < unspecified
(custom)
Affected: unspecified , ≤ 14.8.9 (custom) Affected: 22.0.6 , < unspecified (custom) Affected: unspecified , ≤ 22.0.14 (custom) Affected: 23.0.0.beta2 , < unspecified (custom) Affected: unspecified , ≤ 23.0.8 (custom) Affected: 23.1.0.alpha1 , < unspecified (custom) Affected: unspecified , ≤ 23.1.0.alpha4 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:06.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-grid-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:20:19",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Possible information disclosure inside TreeGrid component with default data provider",
"workarounds": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2022-05-24T10:44:00.000Z",
"ID": "CVE-2022-29567",
"STATE": "PUBLIC",
"TITLE": "Possible information disclosure inside TreeGrid component with default data provider"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
},
{
"product_name": "vaadin-grid-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2022-29567",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"name": "https://github.com/vaadin/flow-components/pull/3046",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2022-29567",
"datePublished": "2022-05-24T14:20:19.452600Z",
"dateReserved": "2022-04-21T00:00:00",
"dateUpdated": "2024-09-16T18:09:13.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33611 (GCVE-0-2021-33611)
Vulnerability from cvelistv5 – Published: 2021-11-02 10:06 – Updated: 2024-09-17 02:32
VLAI?
Summary
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 14.4.4 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:21.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-menu-bar",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-02T10:06:56",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-11-01T09:45:00.000Z",
"ID": "CVE-2021-33611",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.4.4"
}
]
}
},
{
"product_name": "vaadin-menu-bar",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.2.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33611",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"name": "https://github.com/vaadin/vaadin-menu-bar/pull/126",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33611",
"datePublished": "2021-11-02T10:06:56.037780Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:32:32.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33609 (GCVE-0-2021-33609)
Vulnerability from cvelistv5 – Published: 2021-10-13 10:58 – Updated: 2024-09-16 21:04
VLAI?
Summary
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
8.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 8.14.0 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-13T10:58:35",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of service in DataCommunicator class in Vaadin 8",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-10-13T10:09:00.000Z",
"ID": "CVE-2021-33609",
"STATE": "PUBLIC",
"TITLE": "Denial of service in DataCommunicator class in Vaadin 8"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33609",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"name": "https://github.com/vaadin/framework/pull/12415",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12415"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33609",
"datePublished": "2021-10-13T10:58:35.736529Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-16T21:04:18.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33605 (GCVE-0-2021-33605)
Vulnerability from cvelistv5 – Published: 2021-08-25 12:12 – Updated: 2024-09-17 02:53
VLAI?
Summary
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
Severity ?
4.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
12.0.0 , < unspecified
(custom)
Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , < 14.5.0 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 17.0.11 (custom) Affected: 14.5.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.7 (custom) Affected: 18.0.0 , < unspecified (custom) Affected: unspecified , ≤ 20.0.5 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThan": "14.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "17.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-checkbox-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T12:12:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-08-25T11:46:00.000Z",
"ID": "CVE-2021-33605",
"STATE": "PUBLIC",
"TITLE": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "12.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.5.0"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "17.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
},
{
"product_name": "vaadin-checkbox-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.2.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c",
"version_value": "3.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "4.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33605",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"name": "https://github.com/vaadin/flow-components/pull/1903",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33605",
"datePublished": "2021-08-25T12:12:41.760458Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:53:05.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31412 (GCVE-0-2021-31412)
Vulnerability from cvelistv5 – Published: 2021-06-24 11:33 – Updated: 2024-09-16 16:18
VLAI?
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Severity ?
5.3 (Medium)
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 10.0.18 (custom) Affected: 11.0.0 , < unspecified (custom) Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295 Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:33:10",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:31:00.000Z",
"ID": "CVE-2021-31412",
"STATE": "PUBLIC",
"TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.18"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "1.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1295 Debug Messages Revealing Unnecessary Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31412",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"name": "https://github.com/vaadin/flow/pull/11107",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11107"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31412",
"datePublished": "2021-06-24T11:33:10.535178Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T16:18:47.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33604 (GCVE-0-2021-33604)
Vulnerability from cvelistv5 – Published: 2021-06-24 11:16 – Updated: 2024-09-17 03:13
VLAI?
Summary
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Severity ?
CWE
- CWE-172 - Encoding Error
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172 Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:16:27",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:55:00.000Z",
"ID": "CVE-2021-33604",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-172 Encoding Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33604",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"name": "https://github.com/vaadin/flow/pull/11099",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11099"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33604",
"datePublished": "2021-06-24T11:16:27.149618Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T03:13:22.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31409 (GCVE-0-2021-31409)
Vulnerability from cvelistv5 – Published: 2021-05-05 19:07 – Updated: 2024-09-17 04:24
VLAI?
Summary
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
8.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Credits
This issue was discovered and responsibly reported by Stefan Penndorf.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-compatibility-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"datePublic": "2021-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T19:07:30",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-30T08:17:00.000Z",
"ID": "CVE-2021-31409",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
},
{
"product_name": "vaadin-compatibility-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31409",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"name": "https://github.com/vaadin/framework/issues/12240",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"name": "https://github.com/vaadin/framework/pull/12241",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12241"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31409",
"datePublished": "2021-05-05T19:07:30.536900Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T04:24:18.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31411 (GCVE-0-2021-31411)
Vulnerability from cvelistv5 – Published: 2021-05-05 18:15 – Updated: 2024-09-16 18:08
VLAI?
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Severity ?
6.3 (Medium)
CWE
- CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.3 , < *
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "15.0.0",
"status": "affected"
},
{
"at": "19.0.0",
"status": "unaffected"
},
{
"at": "19.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14.0.3",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "affected"
},
{
"at": "6.0.0",
"status": "unaffected"
},
{
"at": "6.0.0",
"status": "affected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2.0.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:15:13",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/10640"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-05-04T08:17:00.000Z",
"ID": "CVE-2021-31411",
"STATE": "PUBLIC",
"TITLE": "Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "14.0.3"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "15.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "19.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "19.0.4 +1"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "2.0.9"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.5.2 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "3.0.0"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.5 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31411",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"name": "https://github.com/vaadin/flow/pull/10640",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10640"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31411",
"datePublished": "2021-05-05T18:15:13.220834Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T18:08:17.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9467 (GCVE-0-2025-9467)
Vulnerability from nvd – Published: 2025-09-04 06:15 – Updated: 2025-09-04 13:41
VLAI?
Summary
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6
Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
≥7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
≥8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
≥24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
≥14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
≥23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
≥24.7.7
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
14.0.0 , ≤ 14.13.0
(maven)
Affected: 23.0.0 , ≤ 23.6.1 (maven) Affected: 24.0.0 , ≤ 24.7.6 (maven) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:28:46.739599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:41:24.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-server",
"product": "framework",
"repo": "https://github.com/vaadin/framework",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "7.7.47",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "8.28.1",
"status": "affected",
"version": "8.0.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:vaadin-upload-flow",
"product": "vaadin-upload-flow",
"repo": "https://github.com/vaadin/flow-components",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "14.13.0",
"status": "affected",
"version": "14.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.6.1",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.7.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.47\u003cbr\u003eVaadin 8.0.0 - 8.28.1\u003cbr\u003eVaadin 14.0.0 - 14.13.0\u003cbr\u003eVaadin 23.0.0 - 23.6.1\u003cbr\u003eVaadin 24.0.0 - 24.7.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.48\u003cbr\u003eUpgrade to 8.28.2\u003cbr\u003eUpgrade to 14.13.1\u003cbr\u003eUpgrade to 23.6.2\u003cbr\u003eUpgrade to 24.7.7 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.47\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22657.7.48\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.28.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22658.28.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e14.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e2.0.0 - 14.13.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226514.13.1\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.2\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-upload-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.7.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.7.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When the Vaadin Upload\u0027s start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n\u22657.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n\u22658.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n\u226524.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n\u226514.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n\u226523.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n\u226524.7.7"
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T11:58:03.368Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2025-9467"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possibility to bypass file upload validation on the server-side",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "This issue can also be worked around without updating the version by validating the upload metadata again in the Upload\u0027s finished listener."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2025-9467",
"datePublished": "2025-09-04T06:15:47.336Z",
"dateReserved": "2025-08-25T14:57:19.966Z",
"dateUpdated": "2025-09-04T13:41:24.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25500 (GCVE-0-2023-25500)
Vulnerability from nvd – Published: 2023-06-22 12:49 – Updated: 2024-12-05 19:59
VLAI?
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
10.0.0 , ≤ 10.0.23
(maven)
Affected: 11.0.0 , ≤ 14.10.1 (maven) Affected: 15.0.0 , ≤ 22.0.8 (maven) Affected: 23.0.0 , ≤ 23.3.13 (maven) Affected: 24.0.0 , ≤ 24.0.6 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.rc2 (maven) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:59:24.082540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:59:30.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.1",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.8",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.13",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.6",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc2",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"vendor": "flow",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.9.2",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "3.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.8",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.rc3",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-06-22T13:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T13:14:15.174Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25500",
"datePublished": "2023-06-22T12:49:06.603Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:59:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25499 (GCVE-0-2023-25499)
Vulnerability from nvd – Published: 2023-06-22 12:47 – Updated: 2024-12-05 19:58
VLAI?
Summary
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| vaadin | vaadin |
Affected:
10.0.0 , ≤ 10.0.22
(maven)
Affected: 11.0.0 , ≤ 14.10.0 (maven) Affected: 15.0.0 , ≤ 22.0.28 (maven) Affected: 23.0.0 , ≤ 23.3.12 (maven) Affected: 24.0.0 , ≤ 24.0.5 (maven) Affected: 24.1.0.alpha1 , ≤ 24.1.0.beta1 (maven) |
|||||||
|
|||||||||
Credits
Kim Leppänen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T19:58:40.795727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T19:58:49.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vaadin",
"repo": "https://github.com/vaadin/platform",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "10.0.22",
"status": "affected",
"version": "10.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "14.10.0",
"status": "affected",
"version": "11.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "22.0.28",
"status": "affected",
"version": "15.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.12",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.5",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "flow-server",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "24.0.0.beta1",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2.8.9",
"status": "affected",
"version": "1.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "3.3.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "23.3.10",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.0.7",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.1.0.beta1",
"status": "affected",
"version": "24.1.0.alpha1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kim Lepp\u00e4nen"
}
],
"datePublic": "2023-06-21T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T12:47:57.760Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"url": "https://github.com/vaadin/flow/pull/15885"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible information disclosure in non visible components",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2023-25499",
"datePublished": "2023-06-22T12:47:57.760Z",
"dateReserved": "2023-02-06T20:44:44.569Z",
"dateUpdated": "2024-12-05T19:58:49.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29567 (GCVE-0-2022-29567)
Vulnerability from nvd – Published: 2022-05-24 14:20 – Updated: 2024-09-16 18:09
VLAI?
Summary
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Information Exposure
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | vaadin |
Affected:
14.8.5 , < unspecified
(custom)
Affected: unspecified , ≤ 14.8.9 (custom) Affected: 22.0.6 , < unspecified (custom) Affected: unspecified , ≤ 22.0.14 (custom) Affected: 23.0.0.beta2 , < unspecified (custom) Affected: unspecified , ≤ 23.0.8 (custom) Affected: 23.1.0.alpha1 , < unspecified (custom) Affected: unspecified , ≤ 23.1.0.alpha4 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:06.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-grid-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.8.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.8.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "22.0.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "23.1.0.alpha1",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.1.0.alpha4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:20:19",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Possible information disclosure inside TreeGrid component with default data provider",
"workarounds": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2022-05-24T10:44:00.000Z",
"ID": "CVE-2022-29567",
"STATE": "PUBLIC",
"TITLE": "Possible information disclosure inside TreeGrid component with default data provider"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
},
{
"product_name": "vaadin-grid-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.8.5"
},
{
"version_affected": "\u003c=",
"version_value": "14.8.9"
},
{
"version_affected": "\u003e=",
"version_value": "22.0.6"
},
{
"version_affected": "\u003c=",
"version_value": "22.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "23.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "23.0.8"
},
{
"version_affected": "\u003e=",
"version_value": "23.1.0.alpha1"
},
{
"version_affected": "\u003c=",
"version_value": "23.1.0.alpha4"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2022-29567",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"name": "https://github.com/vaadin/flow-components/pull/3046",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/3046"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "User might define either: custom `toString()` or `getId()` in their entity."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2022-29567",
"datePublished": "2022-05-24T14:20:19.452600Z",
"dateReserved": "2022-04-21T00:00:00",
"dateUpdated": "2024-09-16T18:09:13.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33611 (GCVE-0-2021-33611)
Vulnerability from nvd – Published: 2021-11-02 10:06 – Updated: 2024-09-17 02:32
VLAI?
Summary
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 14.4.4 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:21.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-menu-bar",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-02T10:06:56",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-11-01T09:45:00.000Z",
"ID": "CVE-2021-33611",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.4.4"
}
]
}
},
{
"product_name": "vaadin-menu-bar",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.2.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33611",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"name": "https://github.com/vaadin/vaadin-menu-bar/pull/126",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33611",
"datePublished": "2021-11-02T10:06:56.037780Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:32:32.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33609 (GCVE-0-2021-33609)
Vulnerability from nvd – Published: 2021-10-13 10:58 – Updated: 2024-09-16 21:04
VLAI?
Summary
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
8.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 8.14.0 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-13T10:58:35",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12415"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of service in DataCommunicator class in Vaadin 8",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-10-13T10:09:00.000Z",
"ID": "CVE-2021-33609",
"STATE": "PUBLIC",
"TITLE": "Denial of service in DataCommunicator class in Vaadin 8"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "8.14.0"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33609",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"name": "https://github.com/vaadin/framework/pull/12415",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12415"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33609",
"datePublished": "2021-10-13T10:58:35.736529Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-16T21:04:18.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33605 (GCVE-0-2021-33605)
Vulnerability from nvd – Published: 2021-08-25 12:12 – Updated: 2024-09-17 02:53
VLAI?
Summary
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
Severity ?
4.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
12.0.0 , < unspecified
(custom)
Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , < 14.5.0 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 17.0.11 (custom) Affected: 14.5.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.7 (custom) Affected: 18.0.0 , < unspecified (custom) Affected: unspecified , ≤ 20.0.5 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThan": "14.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "17.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "vaadin-checkbox-flow",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T12:12:41",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-08-25T11:46:00.000Z",
"ID": "CVE-2021-33605",
"STATE": "PUBLIC",
"TITLE": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "12.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.5.0"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "17.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
},
{
"product_name": "vaadin-checkbox-flow",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.2.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c",
"version_value": "3.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "4.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "14.5.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "18.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "20.0.5"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33605",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33605"
},
{
"name": "https://github.com/vaadin/flow-components/pull/1903",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow-components/pull/1903"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33605",
"datePublished": "2021-08-25T12:12:41.760458Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T02:53:05.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31412 (GCVE-0-2021-31412)
Vulnerability from nvd – Published: 2021-06-24 11:33 – Updated: 2024-09-16 16:18
VLAI?
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Severity ?
5.3 (Medium)
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
10.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 10.0.18 (custom) Affected: 11.0.0 , < unspecified (custom) Affected: unspecified , < 14.0.0 (custom) Affected: 14.0.0 , < unspecified (custom) Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThan": "14.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.0.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295 Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:33:10",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11107"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:31:00.000Z",
"ID": "CVE-2021-31412",
"STATE": "PUBLIC",
"TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.18"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c",
"version_value": "14.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "1.0.14"
},
{
"version_affected": "\u003e=",
"version_value": "1.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2.0.0"
},
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1295 Debug Messages Revealing Unnecessary Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31412",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"name": "https://github.com/vaadin/flow/pull/11107",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11107"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31412",
"datePublished": "2021-06-24T11:33:10.535178Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-16T16:18:47.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33604 (GCVE-0-2021-33604)
Vulnerability from nvd – Published: 2021-06-24 11:16 – Updated: 2024-09-17 03:13
VLAI?
Summary
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Severity ?
CWE
- CWE-172 - Encoding Error
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
14.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 14.6.1 (custom) Affected: 15.0.0 , < unspecified (custom) Affected: unspecified , ≤ 19.0.8 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "14.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flow-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172 Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T11:16:27",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/flow/pull/11099"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-06-24T09:55:00.000Z",
"ID": "CVE-2021-33604",
"STATE": "PUBLIC",
"TITLE": "Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "14.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "14.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "15.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "19.0.8"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.6.1"
},
{
"version_affected": "\u003e=",
"version_value": "3.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "6.0.9"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-172 Encoding Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-33604",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"name": "https://github.com/vaadin/flow/pull/11099",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/11099"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-33604",
"datePublished": "2021-06-24T11:16:27.149618Z",
"dateReserved": "2021-05-27T00:00:00",
"dateUpdated": "2024-09-17T03:13:22.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31409 (GCVE-0-2021-31409)
Vulnerability from nvd – Published: 2021-05-05 19:07 – Updated: 2024-09-17 04:24
VLAI?
Summary
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin |
Affected:
8.0.0 , < *
(custom)
|
|||||||
|
|||||||||
Credits
This issue was discovered and responsibly reported by Stefan Penndorf.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vaadin",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": "vaadin-compatibility-server",
"vendor": "Vaadin",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"datePublic": "2021-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T19:07:30",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vaadin/framework/pull/12241"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-30T08:17:00.000Z",
"ID": "CVE-2021-31409",
"STATE": "PUBLIC",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
},
{
"product_name": "vaadin-compatibility-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "8.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "8.12.4 +1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Stefan Penndorf."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31409",
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"name": "https://github.com/vaadin/framework/issues/12240",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"name": "https://github.com/vaadin/framework/pull/12241",
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12241"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2021-31409",
"datePublished": "2021-05-05T19:07:30.536900Z",
"dateReserved": "2021-04-15T00:00:00",
"dateUpdated": "2024-09-17T04:24:18.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2023-25499
Vulnerability from fkie_nvd - Published: 2023-06-22 13:15 - Updated: 2024-11-21 07:49
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12F1F29D-69E8-406E-BB2F-EA3F141CECD7",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B100421F-58C7-454A-949C-338C4B990925",
"versionEndExcluding": "14.10.1",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0719ACD-F9D0-4E28-82BC-AEFE4EB19729",
"versionEndIncluding": "22.0.28",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74BA613E-932F-45A3-88D2-EA8B42158429",
"versionEndExcluding": "23.3.13",
"versionStartIncluding": "23.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7402D6-2F33-4352-9E70-16EA3C45B795",
"versionEndExcluding": "24.0.6",
"versionStartIncluding": "24.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5131784E-6951-4BA6-A473-10BE06E3E0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "07747F12-9827-4543-B66F-253326EC247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "BD57A5F3-CB86-4B35-823B-DCAEB163D4CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EB94F579-CDCE-4FA4-BCAF-7747813FB7A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "4464403F-682A-4506-99E7-2CC4E4288C0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "ECF91FB7-2806-40C1-B27D-461B6836AC7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4ECE8939-9AB8-44AB-8ECC-96844410A973",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n"
}
],
"id": "CVE-2023-25499",
"lastModified": "2024-11-21T07:49:37.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T13:15:09.660",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/15885"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/15885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/CVE-2023-25499"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-25500
Vulnerability from fkie_nvd - Published: 2023-06-22 13:15 - Updated: 2024-11-21 07:49
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 | |
| vaadin | vaadin | 24.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12F1F29D-69E8-406E-BB2F-EA3F141CECD7",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78FA5E6A-3D73-4CB9-8724-B7DBFC48A1B7",
"versionEndExcluding": "14.10.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0719ACD-F9D0-4E28-82BC-AEFE4EB19729",
"versionEndIncluding": "22.0.28",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9346B94F-48B9-429C-8976-DEC37B7D00F4",
"versionEndExcluding": "23.3.14",
"versionStartIncluding": "23.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48E0C567-8C7F-4572-BC4F-F174C6058974",
"versionEndExcluding": "24.0.7",
"versionStartIncluding": "24.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5131784E-6951-4BA6-A473-10BE06E3E0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "07747F12-9827-4543-B66F-253326EC247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "BD57A5F3-CB86-4B35-823B-DCAEB163D4CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EB94F579-CDCE-4FA4-BCAF-7747813FB7A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "4464403F-682A-4506-99E7-2CC4E4288C0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "ECF91FB7-2806-40C1-B27D-461B6836AC7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4ECE8939-9AB8-44AB-8ECC-96844410A973",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "30853513-0CB0-4AD2-B351-635834EA5C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6EA983BC-02B6-4F2F-A80B-6505529F8690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "520B32C2-8D7C-4C6B-8384-4AD5EE575492",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:24.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "32B73D72-C04F-4771-AC85-B6369A98685D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests."
}
],
"id": "CVE-2023-25500",
"lastModified": "2024-11-21T07:49:37.627",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T13:15:09.737",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2023-25500"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-29567
Vulnerability from fkie_nvd - Published: 2022-05-24 15:15 - Updated: 2024-11-21 06:59
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow-components/pull/3046 | Issue Tracking, Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2022-29567 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow-components/pull/3046 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2022-29567 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0579A51E-A3E6-4380-A378-55C53EC3768D",
"versionEndIncluding": "14.8.9",
"versionStartIncluding": "14.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7479D6-D6DF-4BE2-AD6C-F92DC502C6B3",
"versionEndIncluding": "22.0.15",
"versionStartIncluding": "22.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5BD69D-AF05-4A3E-AB1C-B3B3D1721E0E",
"versionEndIncluding": "23.0.8",
"versionStartIncluding": "23.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9E4809E3-6B53-484E-BE86-BB554D346C01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "F50971D5-297E-4558-9BE5-AD7378A4215F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "E561C638-33CB-4C1C-9A0B-FC590993C59F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F992E61E-EC84-44E9-90CE-113EF2B1EB05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F4382528-7D82-4339-8615-891C93D749C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "778333E4-27C5-4EA3-8EF8-48774CE67188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "A84E4454-773E-4735-B5D4-9F2E6537B8B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "9544B2F5-C913-4ECE-8028-8BFBFD36A2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:23.1.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "312D297B-ACBD-4764-80AD-5AB042DCE01D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto de un componente TreeGrid usa Object::toString como clave en la comunicaci\u00f3n con el cliente y el servidor en Vaadin versiones 14.8.5 hasta 14.8.9, 22.0.6 hasta 22.0.14, 23.0.0.beta2 hasta 23.0.8 y 23.1.0.alpha1 hasta 23.1.0.alpha4, resultando en una potencial divulgaci\u00f3n de informaci\u00f3n de valores que no deber\u00edan estar disponibles en el lado del cliente"
}
],
"id": "CVE-2022-29567",
"lastModified": "2024-11-21T06:59:20.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-24T15:15:08.220",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
},
{
"source": "security@vaadin.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2022-29567"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow-components/pull/3046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2022-29567"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-33611
Vulnerability from fkie_nvd - Published: 2021-11-02 10:15 - Updated: 2024-11-21 06:09
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/vaadin-menu-bar/pull/126 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33611 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/vaadin-menu-bar/pull/126 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33611 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | vaadin | * | |
| vaadin | vaadin-menu-bar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1ACE9CEA-D935-4961-81D6-B886DB4B0348",
"versionEndIncluding": "14.4.4",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin-menu-bar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F9D779-8982-4D8D-BE86-14D860337241",
"versionEndIncluding": "1.2.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL"
},
{
"lang": "es",
"value": "Una falta de saneo de la salida en las fuentes de prueba en org.webjars.bowergithub.vaadin:vaadin-menu-bar versiones 1.0.0 hasta 1.2.0 (Vaadin versiones 14.0.0 hasta 14.4.4), permite a atacantes remotos ejecutar JavaScript malicioso en el navegador al abrir una URL dise\u00f1ada"
}
],
"id": "CVE-2021-33611",
"lastModified": "2024-11-21T06:09:11.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-02T10:15:07.683",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
},
{
"source": "security@vaadin.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33611"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/vaadin-menu-bar/pull/126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33611"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-33609
Vulnerability from fkie_nvd - Published: 2021-10-13 11:15 - Updated: 2024-11-21 06:09
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/pull/12415 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33609 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12415 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33609 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B87713FE-14F4-4A75-B880-795A7CDABA69",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data."
},
{
"lang": "es",
"value": "Una falta de comprobaci\u00f3n en la clase DataCommunicator en com.vaadin:vaadin-server versiones 8.0.0 hasta 8.14.0 (Vaadin 8.0.0 hasta 8.14.0) permite a un atacante de red autenticado causar el agotamiento de la pila al solicitar demasiadas filas de datos"
}
],
"id": "CVE-2021-33609",
"lastModified": "2024-11-21T06:09:11.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-13T11:15:07.133",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12415"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33609"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-33604
Vulnerability from fkie_nvd - Published: 2021-06-24 12:15 - Updated: 2024-11-21 06:09
Severity ?
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/11099 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-33604 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/11099 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-33604 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | flow-server | * | |
| vaadin | flow-server | * | |
| vaadin | flow-server | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * | |
| vaadin | vaadin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFD551C5-B7BB-45F2-BBDD-B7181E18B3E0",
"versionEndIncluding": "2.6.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF29305-886B-45FA-A98D-B9C2524B4891",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB09AE9F-4900-4A18-8071-A5B0E713335F",
"versionEndIncluding": "6.0.9",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33",
"versionEndIncluding": "14.6.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360",
"versionEndIncluding": "18.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29",
"versionEndIncluding": "19.0.8",
"versionStartIncluding": "19.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser."
},
{
"lang": "es",
"value": "Un error de codificaci\u00f3n de URL en el manejador de modo de desarrollo en com.vaadin:flow-server versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14.6.1), versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un usuario local ejecutar c\u00f3digo JavaScript arbitrario al abrir una URL dise\u00f1ada en el navegador"
}
],
"id": "CVE-2021-33604",
"lastModified": "2024-11-21T06:09:11.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 1.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-24T12:15:08.157",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11099"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-33604"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-172"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-31412
Vulnerability from fkie_nvd - Published: 2021-06-24 12:15 - Updated: 2024-11-21 06:05
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/11107 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31412 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/11107 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31412 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08B5A131-071A-4AEC-9F0B-8BF6D38DC85C",
"versionEndIncluding": "1.0.14",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F232EDE-AF65-4AA2-846E-3C7A34DA8928",
"versionEndIncluding": "1.4.0",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAF9CA63-A40E-474E-9BE9-8A86A1C2B129",
"versionEndIncluding": "2.6.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1551D996-DB49-4E39-9423-BD3CBA2029FA",
"versionEndIncluding": "6.0.9",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AAF5648-26F2-4D08-838B-3B3C2E0954D2",
"versionEndIncluding": "10.0.18",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85960C27-DA5B-4215-9C34-4789F32EF260",
"versionEndIncluding": "13.0.0",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33",
"versionEndIncluding": "14.6.1",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360",
"versionEndIncluding": "18.0.0",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29",
"versionEndIncluding": "19.0.8",
"versionStartIncluding": "19.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."
},
{
"lang": "es",
"value": "Un saneamiento inapropiado de la ruta en la vista RouteNotFoundError predeterminada en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.14 (Vaadin versiones 10.0.0 hasta 10.0.18), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anterior a 14), versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14. 6.1), y versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un atacante de red enumerar todas las rutas disponibles por medio de una petici\u00f3n HTTP dise\u00f1ada cuando la aplicaci\u00f3n se ejecuta en modo de producci\u00f3n y un controlador personalizado para o NotFoundException es proporcionado"
}
],
"id": "CVE-2021-31412",
"lastModified": "2024-11-21T06:05:37.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-24T12:15:08.090",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11107"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31412"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/11107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31412"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1295"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-31409
Vulnerability from fkie_nvd - Published: 2021-05-06 13:15 - Updated: 2024-11-21 06:05
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/framework/issues/12240 | Patch, Third Party Advisory | |
| security@vaadin.com | https://github.com/vaadin/framework/pull/12241 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31409 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/issues/12240 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/framework/pull/12241 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31409 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC3E374E-B6E2-4608-AF87-3CB540D9EA9F",
"versionEndIncluding": "8.12.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n no segura RegEx en el componente EmailValidator en com.vaadin:vaadin-compatibility-server versiones 8.0.0 hasta 8.12.4, (Vaadin versiones 8.0.0 hasta 8.12.4) permite a atacantes causar un consumo de recursos no controlado mediante el env\u00edo de direcciones de correo electr\u00f3nico maliciosas"
}
],
"id": "CVE-2021-31409",
"lastModified": "2024-11-21T06:05:36.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-06T13:15:12.633",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12241"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/issues/12240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/framework/pull/12241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31409"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-31411
Vulnerability from fkie_nvd - Published: 2021-05-05 19:15 - Updated: 2024-11-21 06:05
Severity ?
6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
References
| URL | Tags | ||
|---|---|---|---|
| security@vaadin.com | https://github.com/vaadin/flow/pull/10640 | Patch, Third Party Advisory | |
| security@vaadin.com | https://vaadin.com/security/cve-2021-31411 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vaadin/flow/pull/10640 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vaadin.com/security/cve-2021-31411 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDE9ACA-7666-444D-8615-A164C0E0A8A4",
"versionEndExcluding": "2.5.3",
"versionStartIncluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54",
"versionEndIncluding": "5.0.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5DCFE72-3FCF-4ED7-A8B3-A0DBE48AE3A5",
"versionEndIncluding": "6.0.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B77BD429-7BB9-454A-A2B2-71081416E416",
"versionEndExcluding": "14.5.3",
"versionStartIncluding": "14.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B1E8A6A-57AD-41FA-8768-9B60C356E78B",
"versionEndExcluding": "19.0.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds."
},
{
"lang": "es",
"value": "Un uso de directorio temporal no seguro en la funcionalidad frontend build de com.vaadin:flow-server versiones 2.0.9 hasta 2.5.2 (Vaadin versiones 14.0.3 hasta Vaadin 14.5.2), versiones 3.0 anteriores 6.0 (Vaadin versiones 15 anteriores a 19) y versiones 6.0 .0 hasta 6.0.5 (Vaadin versiones 19.0.0 hasta 19.0.4), permite a usuarios locales inyectar c\u00f3digo malicioso en los recursos frontend durante la reconstrucci\u00f3n de la aplicaci\u00f3n"
}
],
"id": "CVE-2021-31411",
"lastModified": "2024-11-21T06:05:36.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.2,
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T19:15:08.777",
"references": [
{
"source": "security@vaadin.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10640"
},
{
"source": "security@vaadin.com",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31411"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31411"
}
],
"sourceIdentifier": "security@vaadin.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-379"
}
],
"source": "security@vaadin.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}