Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

https://vaadin.com/security/cve-2021-31407

Published: Apr 19, 2021
Updated: Apr 14, 2023
GHSA: GHSA-j9wr-49vq-rm5g
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWEs:

CWE-402

Affected Software
References

Software	From	Fixed in
com.vaadin / vaadin-bom	12.0.0	14.4.10
com.vaadin / vaadin-bom	19.0.0	19.0.0.x
com.vaadin / vaadin-bom	19.0.0	19.0.1

https://github.com/vaadin/platform/security/advisories/GHSA-j9wr-49vq-rm5g
https://vaadin.com/security/cve-2021-31407

Vulnerability Database

291,049

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19