Description

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

Remediation

References

https://github.com/vaadin/flow/pull/10229

https://github.com/vaadin/flow/pull/10269

https://github.com/vaadin/osgi/issues/50

https://vaadin.com/security/cve-2021-31407

Related Vulnerabilities

CVE-2016-1000344 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2021-42567 Vulnerability in maven package org.apereo.cas:cas-server-core-services

CVE-2022-36092 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2023-26115 Vulnerability in maven package org.webjars.npm:word-wrap

Severity

High

Classification

CWE-668 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Vendor Advisory