// For flags

CVE-2021-31407

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

Una vulnerabilidad en la integración de OSGi en com.vaadin:flow-server versiones 1.2.0 hasta 2.4.7 (Vaadin versiones 12.0.0 hasta 14.4.9) y versiones 6.0.0 hasta 6.0.1 (Vaadin versión 19.0.0), permite al atacante acceder a las clases y recursos de aplicación en el servidor por medio de una petición HTTP diseñada

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-04-15 CVE Reserved
  • 2021-04-23 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
  • CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vaadin
Search vendor "Vaadin"
Flow
Search vendor "Vaadin" for product "Flow"
>= 1.2.0 < 2.4.8
Search vendor "Vaadin" for product "Flow" and version " >= 1.2.0 < 2.4.8"
-
Affected
Vaadin
Search vendor "Vaadin"
Flow
Search vendor "Vaadin" for product "Flow"
>= 6.0.0 < 6.0.2
Search vendor "Vaadin" for product "Flow" and version " >= 6.0.0 < 6.0.2"
-
Affected
Vaadin
Search vendor "Vaadin"
Vaadin
Search vendor "Vaadin" for product "Vaadin"
>= 12.0.0 < 14.4.10
Search vendor "Vaadin" for product "Vaadin" and version " >= 12.0.0 < 14.4.10"
-
Affected
Vaadin
Search vendor "Vaadin"
Vaadin
Search vendor "Vaadin" for product "Vaadin"
19.0.0
Search vendor "Vaadin" for product "Vaadin" and version "19.0.0"
-
Affected