GSD-2021-31407
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-31407",
"description": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"id": "GSD-2021-31407"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-31407"
],
"details": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"id": "GSD-2021-31407",
"modified": "2023-12-13T01:23:13.471340Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"ID": "CVE-2021-31407",
"STATE": "PUBLIC",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "12.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "14.4.9"
},
{
"platform": "",
"version_affected": "=",
"version_name": "",
"version_value": "19.0.0"
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.2.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.4.7"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "6.0.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "6.0.1"
}
]
}
}
]
},
"vendor_name": "Vaadin"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://vaadin.com/security/cve-2021-31407",
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "https://github.com/vaadin/osgi/issues/50",
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"name": "https://github.com/vaadin/flow/pull/10229",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "https://github.com/vaadin/flow/pull/10269",
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "INTERNAL"
},
"work_around": []
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[12.0.0,14.4.10),[19.0.0,19.0.1)",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, all versions starting from 19.0.0 before 19.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "A vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"14.4.10",
"19.0.1"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 14.4.10 before 19.0.0, all versions starting from 19.0.1",
"package_slug": "maven/com.vaadin/flow-client",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 14.4.10 or 19.0.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "e34f850f-caaa-4589-8ae9-0371829cde63"
},
{
"affected_range": "[1.2.0,2.4.7],[6.0.0,6.0.1]",
"affected_versions": "All versions starting from 1.2.0 through 2.4.7, all versions starting from 6.0.0 through 6.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "Vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"2.4.8",
"6.0.2"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 2.4.8 before 6.0.0, all versions starting from 6.0.2",
"package_slug": "maven/com.vaadin/flow-server",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 2.4.8, 6.0.2, or higher.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "c2ababc8-b56b-4828-b972-77da7fbeea79"
},
{
"affected_range": "[12.0.0,14.4.10),[19.0.0]",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, version 19.0.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2021-05-05",
"description": "Vulnerability in OSGi integration in com.vaadin:flow-server (Vaad ) (Vaad ) allows attacker to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "",
"package_slug": "maven/com.vaadin/vaadin-compatibility-server",
"pubdate": "2021-04-23",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "5881ce34-ec65-4c24-8b8e-4131d78d6320"
},
{
"affected_range": "[12.0.0,14.4.10),[19.0.0,19.0.1)",
"affected_versions": "All versions starting from 12.0.0 before 14.4.10, all versions starting from 19.0.0 before 19.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-937"
],
"date": "2022-08-12",
"description": "A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.",
"fixed_versions": [
"14.4.10",
"19.0.1"
],
"identifier": "CVE-2021-31407",
"identifiers": [
"CVE-2021-31407"
],
"not_impacted": "All versions starting from 14.4.10 before 15.0.0, all versions starting from 19.0.1",
"package_slug": "maven/com.vaadin/vaadin-server",
"pubdate": "2021-04-23",
"solution": "Upgrade to version 14.4.10 or 19.0.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-31407",
"https://vaadin.com/security/cve-2021-31407"
],
"uuid": "11516441-6333-47b7-b2d8-8ef318c21580"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.8",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "14.4.10",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@vaadin.com",
"ID": "CVE-2021-31407"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vaadin/osgi/issues/50"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-08-12T18:02Z",
"publishedDate": "2021-04-23T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…