CVE-2021-31412 - OpenCVE

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vaadin	Flow Vaadin

Configuration 1 [-]

OR	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin::::::::

No data.

References

Link	Providers
https://github.com/vaadin/flow/pull/11107
https://vaadin.com/security/cve-2021-31412

History

No history.

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2021-06-24T11:33:10.535178Z

Updated: 2024-09-16T16:18:47.406Z

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31412

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-24T12:15:08.090

Modified: 2022-10-25T19:33:07.190

Link: CVE-2021-31412

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "10.0.0", "versionType": "custom"}, {"lessThanOrEqual": "10.0.18", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"lessThan": "14.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.0.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "15.0.0", "versionType": "custom"}, {"lessThanOrEqual": "19.0.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "flow-server", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.0.0", "versionType": "custom"}, {"lessThanOrEqual": "1.0.14", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.1.0", "versionType": "custom"}, {"lessThan": "2.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom"}, {"lessThanOrEqual": "2.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThanOrEqual": "6.0.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1295", "description": "CWE-1295 Debug Messages Revealing Unnecessary Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-24T11:33:10", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://vaadin.com/security/cve-2021-31412"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vaadin/flow/pull/11107"}], "source": {"discovery": "INTERNAL"}, "title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2021-06-24T09:31:00.000Z", "ID": "CVE-2021-31412", "STATE": "PUBLIC", "TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"version_affected": ">=", "version_value": "10.0.0"}, {"version_affected": "<=", "version_value": "10.0.18"}, {"version_affected": ">=", "version_value": "11.0.0"}, {"version_affected": "<", "version_value": "14.0.0"}, {"version_affected": ">=", "version_value": "14.0.0"}, {"version_affected": "<=", "version_value": "14.6.1"}, {"version_affected": ">=", "version_value": "15.0.0"}, {"version_affected": "<=", "version_value": "19.0.8"}]}}, {"product_name": "flow-server", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.0.0"}, {"version_affected": "<=", "version_value": "1.0.14"}, {"version_affected": ">=", "version_value": "1.1.0"}, {"version_affected": "<", "version_value": "2.0.0"}, {"version_affected": ">=", "version_value": "2.0.0"}, {"version_affected": "<=", "version_value": "2.6.1"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<=", "version_value": "6.0.9"}]}}]}, "vendor_name": "Vaadin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1295 Debug Messages Revealing Unnecessary Information"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2021-31412", "refsource": "CONFIRM", "url": "https://vaadin.com/security/cve-2021-31412"}, {"name": "https://github.com/vaadin/flow/pull/11107", "refsource": "CONFIRM", "url": "https://github.com/vaadin/flow/pull/11107"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.804Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://vaadin.com/security/cve-2021-31412"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vaadin/flow/pull/11107"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2021-31412", "datePublished": "2021-06-24T11:33:10.535178Z", "dateReserved": "2021-04-15T00:00:00", "dateUpdated": "2024-09-16T16:18:47.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "08B5A131-071A-4AEC-9F0B-8BF6D38DC85C", "versionEndIncluding": "1.0.14", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F232EDE-AF65-4AA2-846E-3C7A34DA8928", "versionEndIncluding": "1.4.0", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAF9CA63-A40E-474E-9BE9-8A86A1C2B129", "versionEndIncluding": "2.6.1", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54", "versionEndIncluding": "5.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1551D996-DB49-4E39-9423-BD3CBA2029FA", "versionEndIncluding": "6.0.9", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AAF5648-26F2-4D08-838B-3B3C2E0954D2", "versionEndIncluding": "10.0.18", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "85960C27-DA5B-4215-9C34-4789F32EF260", "versionEndIncluding": "13.0.0", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33", "versionEndIncluding": "14.6.1", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360", "versionEndIncluding": "18.0.0", "versionStartIncluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29", "versionEndIncluding": "19.0.8", "versionStartIncluding": "19.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}, {"lang": "es", "value": "Un saneamiento inapropiado de la ruta en la vista RouteNotFoundError predeterminada en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.14 (Vaadin versiones 10.0.0 hasta 10.0.18), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anterior a 14), versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14. 6.1), y versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un atacante de red enumerar todas las rutas disponibles por medio de una petici\u00f3n HTTP dise\u00f1ada cuando la aplicaci\u00f3n se ejecuta en modo de producci\u00f3n y un controlador personalizado para o NotFoundException es proporcionado"}], "id": "CVE-2021-31412", "lastModified": "2022-10-25T19:33:07.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@vaadin.com", "type": "Secondary"}]}, "published": "2021-06-24T12:15:08.090", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/11107"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-31412"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1295"}], "source": "security@vaadin.com", "type": "Secondary"}]}