CVE-2021-31412
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Un saneamiento inapropiado de la ruta en la vista RouteNotFoundError predeterminada en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.14 (Vaadin versiones 10.0.0 hasta 10.0.18), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anterior a 14), versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14. 6.1), y versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un atacante de red enumerar todas las rutas disponibles por medio de una petición HTTP diseñada cuando la aplicación se ejecuta en modo de producción y un controlador personalizado para o NotFoundException es proporcionado
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-04-15 CVE Reserved
- 2021-06-24 CVE Published
- 2024-03-09 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-1295: Debug Messages Revealing Unnecessary Information
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/vaadin/flow/pull/11107 | 2022-10-25 |
| URL | Date | SRC |
|---|---|---|
| https://vaadin.com/security/cve-2021-31412 | 2022-10-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vaadin Search vendor "Vaadin" | Flow Search vendor "Vaadin" for product "Flow" | >= 1.0.0 <= 1.0.14 Search vendor "Vaadin" for product "Flow" and version " >= 1.0.0 <= 1.0.14" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Flow Search vendor "Vaadin" for product "Flow" | >= 1.1.0 <= 1.4.0 Search vendor "Vaadin" for product "Flow" and version " >= 1.1.0 <= 1.4.0" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Flow Search vendor "Vaadin" for product "Flow" | >= 2.0.0 <= 2.6.1 Search vendor "Vaadin" for product "Flow" and version " >= 2.0.0 <= 2.6.1" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Flow Search vendor "Vaadin" for product "Flow" | >= 3.0.0 <= 5.0.0 Search vendor "Vaadin" for product "Flow" and version " >= 3.0.0 <= 5.0.0" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Flow Search vendor "Vaadin" for product "Flow" | >= 6.0.0 <= 6.0.9 Search vendor "Vaadin" for product "Flow" and version " >= 6.0.0 <= 6.0.9" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Vaadin Search vendor "Vaadin" for product "Vaadin" | >= 10.0.0 <= 10.0.18 Search vendor "Vaadin" for product "Vaadin" and version " >= 10.0.0 <= 10.0.18" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Vaadin Search vendor "Vaadin" for product "Vaadin" | >= 11.0.0 <= 13.0.0 Search vendor "Vaadin" for product "Vaadin" and version " >= 11.0.0 <= 13.0.0" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Vaadin Search vendor "Vaadin" for product "Vaadin" | >= 14.0.0 <= 14.6.1 Search vendor "Vaadin" for product "Vaadin" and version " >= 14.0.0 <= 14.6.1" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Vaadin Search vendor "Vaadin" for product "Vaadin" | >= 15.0.0 <= 18.0.0 Search vendor "Vaadin" for product "Vaadin" and version " >= 15.0.0 <= 18.0.0" | - |
Affected
| ||||||
| Vaadin Search vendor "Vaadin" | Vaadin Search vendor "Vaadin" for product "Vaadin" | >= 19.0.0 <= 19.0.8 Search vendor "Vaadin" for product "Vaadin" and version " >= 19.0.0 <= 19.0.8" | - |
Affected
| ||||||