CVE-2021-31412

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-31412
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31412.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-31412
Aliases
Published
2021-06-24T12:15:08.090Z
Modified
2026-03-10T23:34:34.500793Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type
GIT
Repo
https://github.com/vaadin/flow
Events
Introduced
3cd0c02025aba6de6fd78a8ea65c67483a721b4e
Last affected
3a0bec8198b110458ccea3d5165de9d402817426
Introduced
6b0da5b1d88e4541bebb4f26ef799b3f407bb74e
Last affected
51ab210c480feb216183721e7dec0bc990d4a11c
Introduced
8e306579f157678c3baa3f3f63f406d073668161
Last affected
028ba87748c990948f44fe47c6b680c8b5e197d2
Introduced
4b6ca4330163c4e976b32d03880fe2154a9d1ca7
Last affected
60b4fd8e59948e2a6a5f8af1988a3adc45563ffc
Introduced
6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c
Last affected
9ebb07ae013fd667dec105c9cde3aaf9acc23e81
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "1.0.14"
        },
        {
            "introduced": "1.1.0"
        },
        {
            "last_affected": "1.4.0"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.6.1"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "last_affected": "5.0.0"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "last_affected": "6.0.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/vaadin/vaadin
Events
Introduced
7ac406600a3c1a228e15ba253fe844f7e13771a0
Last affected
6ad5c47f51489cb4b99844255a7b6f676a6d82df
Introduced
75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53
Last affected
ec066cd66dc30136955201c14b8c786663e4fa93
Introduced
ca9cf99092245a31a84b317adf1d79a397970d27
Last affected
e19775cf4b00eb14e98acd9b0452642c2a7010ff
Introduced
9efda1b1e0a27769eef9292dd7799d8fea77e633
Last affected
a5bc6b4832e649fb16243e2bc0ee9b2941815e3b
Introduced
3981409421683b6f4a796f37b67433d36b6a7ca1
Last affected
b41a52e3d8a4d4e90726e15cba6e2ae31b4722ba
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "last_affected": "10.0.18"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "last_affected": "13.0.0"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "last_affected": "14.6.1"
        },
        {
            "introduced": "15.0.0"
        },
        {
            "last_affected": "18.0.0"
        },
        {
            "introduced": "19.0.0"
        },
        {
            "last_affected": "19.0.8"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.1
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.0.alpha1
1.1.0.alpha2
1.1.0.alpha3
1.1.0.beta1
1.1.0.beta2
1.1.0.beta3
1.1.0.beta4
1.2.0
1.2.0.alpha1
1.2.0.beta1
1.2.0.beta2
1.3.0
1.3.0.alpha2
1.3.0.alpha3
1.3.0.beta1
1.3.0.beta2
1.4.0
1.5.0.alpha1
1.5.0.alpha2
1.5.0.alpha3
1.5.0.alpha4
2.*
2.0.0
2.0.0.alpha1
2.0.0.alpha2
2.0.0.alpha3
2.0.0.alpha4
2.0.0.alpha5
2.0.0.beta1
2.0.0.beta2
2.0.0.rc1
2.0.0.rc2
2.0.0.rc3
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0.alpha1
2.1.0.beta1
2.1.0.beta3
2.2.0
2.2.0.alpha1
2.2.0.alpha10
2.2.0.alpha11
2.2.0.alpha12
2.2.0.alpha13
2.2.0.alpha14
2.2.0.alpha15
2.2.0.alpha16
2.2.0.alpha2
2.2.0.alpha3
2.2.0.alpha4
2.2.0.alpha5
2.2.0.alpha6
2.2.0.alpha7
2.2.0.alpha8
2.2.0.alpha9
2.2.0.beta1
2.2.0.beta2
2.2.0.rc1
2.2.1
2.2.2
2.2.alpha14
2.3.0
2.3.0.alpha1
2.3.0.beta1
2.3.0.beta2
2.3.0.beta3
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.0.alpha1
2.4.0.beta1
2.4.0.beta2
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0.alpha1
2.5.0.alpha2
2.6.0
2.6.0.alpha1
2.6.0.beta1
2.6.0.beta2
2.6.0.rc1
2.6.1
3.*
3.0.0.alpha1
3.0.0.alpha11
3.0.0.alpha12
3.0.0.alpha13
3.0.0.alpha14
3.0.0.alpha15
3.0.0.alpha16
3.0.0.alpha17
3.0.0.alpha2
3.0.0.alpha3
3.0.0.alpha4
3.0.0.alpha5
3.0.0.alpha6
3.0.0.alpha7
3.0.0.alpha8
3.0.0.alpha9
3.0.0.beta1
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.2.0.alpha1
3.2.0.alpha2
3.2.0.alpha3
3.2.0.alpha4
3.2.0.alpha5
3.2.0.alpha6
3.2.0.alpha7
4.*
4.0.0.alpha1
4.0.0.alpha2
4.0.0.alpha3
4.0.0.beta1
5.*
5.0.0
5.0.0.alpha1
5.0.0.beta1
5.0.0.rc1
6.*
6.0.0
6.0.0.alpha1
6.0.0.alpha2
6.0.0.alpha3
6.0.0.alpha4
6.0.0.alpha5
6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.beta4
6.0.0.beta5
6.0.0.rc1
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
v10.*
v10.0.0
v10.0.1
v10.0.10
v10.0.11
v10.0.12
v10.0.13
v10.0.14
v10.0.15
v10.0.16
v10.0.17
v10.0.18
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.8
v10.0.9
v11.*
v11.0.0-alpha1
v11.0.0-beta1
v12.*
v12.0.0
v12.0.0-alpha1
v12.0.0-alpha2
v12.0.0-alpha3
v12.0.0-alpha4
v12.0.0-alpha5
v12.0.0-beta1
v12.0.0-beta2
v12.0.1
v12.0.2
v13.*
v13.0.0
v13.0.0-alpha1
v13.0.0-alpha2
v13.0.0-alpha3
v13.0.0-alpha4
v13.0.0-beta1
v13.0.0-beta2
v13.0.0-beta3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31412.json"