Vulnerability Description
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vaadin | Flow | >= 1.2.0, < 2.4.8 |
| Vaadin | Vaadin | >= 12.0.0, < 14.4.10 |
Related Weaknesses (CWE)
References
- https://github.com/vaadin/flow/pull/10229PatchThird Party Advisory
- https://github.com/vaadin/flow/pull/10269PatchThird Party Advisory
- https://github.com/vaadin/osgi/issues/50PatchThird Party Advisory
- https://vaadin.com/security/cve-2021-31407Vendor Advisory
- https://github.com/vaadin/flow/pull/10229PatchThird Party Advisory
- https://github.com/vaadin/flow/pull/10269PatchThird Party Advisory
- https://github.com/vaadin/osgi/issues/50PatchThird Party Advisory
- https://vaadin.com/security/cve-2021-31407Vendor Advisory
FAQ
What is CVE-2021-31407?
CVE-2021-31407 is a vulnerability with a CVSS score of 8.6 (HIGH). Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application c...
How severe is CVE-2021-31407?
CVE-2021-31407 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31407?
Check the references section above for vendor advisories and patch information. Affected products include: Vaadin Flow, Vaadin Vaadin.