GHSA-j9wr-49vq-rm5g

Suggest an improvement
Source
https://github.com/advisories/GHSA-j9wr-49vq-rm5g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-j9wr-49vq-rm5g/GHSA-j9wr-49vq-rm5g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j9wr-49vq-rm5g
Published
2021-04-19T14:46:49Z
Modified
2023-04-11T01:40:26.261949Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Details

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

  • https://vaadin.com/security/cve-2021-31407
References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name
com.vaadin:vaadin-bom
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
14.4.10

Affected versions

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7

13.*

13.0.0
13.0.1
13.0.2
13.0.3
13.0.4
13.0.5
13.0.6
13.0.7
13.0.8
13.0.9
13.0.10
13.0.11
13.0.12
13.0.13

14.*

14.0.0
14.0.1
14.0.2
14.0.3
14.0.4
14.0.5
14.0.6
14.0.7
14.0.8
14.0.9
14.0.10
14.0.11
14.0.12
14.0.13
14.0.14
14.0.15
14.1.0
14.1.1
14.1.2
14.1.3
14.1.4
14.1.5
14.1.16
14.1.17
14.1.18
14.1.19
14.1.20
14.1.21
14.1.22
14.1.23
14.1.24
14.1.25
14.1.26
14.1.27
14.1.28
14.2.0
14.2.1
14.2.2
14.2.3
14.3.0
14.3.1
14.3.2
14.3.3
14.3.4
14.3.5
14.3.6
14.3.7
14.3.8
14.3.9
14.4.0
14.4.1
14.4.2
14.4.3
14.4.4
14.4.5
14.4.6
14.4.7
14.4.8
14.4.9

Maven / com.vaadin:vaadin-bom

Package

Name
com.vaadin:vaadin-bom
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
19.0.0
Fixed
19.0.1

Affected versions

19.*

19.0.0