CVE-2021-33604

EPSS 0.05%
Veröffentlicht 24.06.2021 12:15:08
Zuletzt bearbeitet 21.11.2024 06:09:11
Quelle security@vaadin.com
CVE-Watchlists
Login
Unerledigt
Login

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vaadin ≫ Flow-server Version >= 2.0.0 <= 2.6.1

Vaadin ≫ Flow-server Version >= 3.0.0 <= 5.0.0

Vaadin ≫ Flow-server Version >= 6.0.0 <= 6.0.9

Vaadin ≫ Vaadin Version >= 14.0.0 <= 14.6.1

Vaadin ≫ Vaadin Version >= 15.0.0 <= 18.0.0

Vaadin ≫ Vaadin Version >= 19.0.0 <= 19.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.135

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
nvd@nist.gov	1.2	1.9	2.9	AV:L/AC:H/Au:N/C:P/I:N/A:N
security@vaadin.com	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-172 Encoding Error

The product does not properly encode or decode the data, resulting in unexpected values.

https://github.com/vaadin/flow/pull/11099

Patch

Third Party Advisory

https://vaadin.com/security/cve-2021-33604

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-33604

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33604

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33604

EUVD