8.6

CVE-2021-31407

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VaadinFlow Version >= 1.2.0 < 2.4.8
VaadinFlow Version >= 6.0.0 < 6.0.2
VaadinVaadin Version >= 12.0.0 < 14.4.10
VaadinVaadin Version19.0.0 Update-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.38% 0.817
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
security@vaadin.com 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/vaadin/flow/pull/10229
Patch
Third Party Advisory
https://github.com/vaadin/flow/pull/10269
Patch
Third Party Advisory
https://github.com/vaadin/osgi/issues/50
Patch
Third Party Advisory
https://vaadin.com/security/cve-2021-31407
Vendor Advisory