CVE-2021-31407

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

Published: Apr 23, 2021
Updated: May 9, 2024
CVE: CVE-2021-31407
GHSA: GHSA-25xc-jwfq-39jw
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-668
CWE-402

Affected Software
References

Software	From	Fixed in
vaadin / flow	6.0.0	6.0.2
vaadin / flow	1.2.0	2.4.8
vaadin / vaadin	19.0.0	19.0.0.x
vaadin / vaadin	12.0.0	14.4.10
com.vaadin / flow-server	1.2.0	2.4.8
com.vaadin / flow-server	6.0.0	6.0.0.x
com.vaadin / flow-server	6.0.0	6.0.1

https://github.com/vaadin/flow/pull/10229
https://github.com/vaadin/flow/pull/10269
https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw
https://github.com/vaadin/osgi/issues/50
https://vaadin.com/security/cve-2021-31407

Vulnerability Database

CVE-2021-31407

Deep Security Visibility Without the Complexity