CVE-2021-31407

Опубликовано: 23 апр. 2021

Источник: nvd

CVSS3: 8.6

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

Ссылки

https://github.com/vaadin/flow/pull/10229
Patch
Third Party Advisory
https://github.com/vaadin/flow/pull/10269
Patch
Third Party Advisory
https://github.com/vaadin/osgi/issues/50
Patch
Third Party Advisory
https://vaadin.com/security/cve-2021-31407
Vendor Advisory
https://github.com/vaadin/flow/pull/10229
Patch
Third Party Advisory
https://github.com/vaadin/flow/pull/10269
Patch
Third Party Advisory
https://github.com/vaadin/osgi/issues/50
Patch
Third Party Advisory
https://vaadin.com/security/cve-2021-31407
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*

Версия от 1.2.0 (включая) до 2.4.8 (исключая)

cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*

Версия от 6.0.0 (включая) до 6.0.2 (исключая)

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Версия от 12.0.0 (включая) до 14.4.10 (исключая)

cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01802

Низкий

8.6 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-402

CWE-668

Связанные уязвимости

GHSA-25xc-jwfq-39jw

CVSS3: 8.6

github

больше 4 лет назад

OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure

EPSS

Процентиль: 82%

0.01802

Низкий

8.6 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-402

CWE-668