CVE-2021-33605 - Vulnerability Details - OpenCVE

Description

Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.

Published: 2021-08-25

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Vaadin

Vaadin

affected

Version	Status	Constraints
`12.0.0`	affected	< unspecified
`unspecified`	affected	< 14.0.0
`14.0.0`	affected	< unspecified
`unspecified`	affected	< 14.5.0
`15.0.0`	affected	< unspecified
`unspecified`	affected	≤ 17.0.11
`14.5.0`	affected	< unspecified
`unspecified`	affected	≤ 14.6.7
`18.0.0`	affected	< unspecified
`unspecified`	affected	≤ 20.0.5

Vaadin

vaadin-checkbox-flow

affected

Version	Status	Constraints
`1.2.0`	affected	< unspecified
`unspecified`	affected	< 2.0.0
`2.0.0`	affected	< unspecified
`unspecified`	affected	< 3.0.0
`3.0.0`	affected	< unspecified
`unspecified`	affected	≤ 4.0.1
`14.5.0`	affected	< unspecified
`unspecified`	affected	≤ 14.6.7
`18.0.0`	affected	< unspecified
`unspecified`	affected	≤ 20.0.5

Configuration 1 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-1840	Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
Github GHSA	GHSA-qcc4-3rxf-gf4m	Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00336.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/vaadin/flow-components/pull/1903
https://vaadin.com/security/cve-2021-33605

History

No history.

Subscriptions

Vaadin Vaadin Vaadin-checkbox-flow

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2021-08-25T12:12:41.760Z

Updated: 2024-09-17T02:53:05.351Z

Reserved: 2021-05-27T00:00:00.000Z

Link: CVE-2021-33605

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-25T13:15:07.270

Modified: 2024-11-21T06:09:11.323

Link: CVE-2021-33605

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-754

{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "12.0.0", "versionType": "custom"}, {"lessThan": "14.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.0.0", "versionType": "custom"}, {"lessThan": "14.5.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "15.0.0", "versionType": "custom"}, {"lessThanOrEqual": "17.0.11", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.5.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.7", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "18.0.0", "versionType": "custom"}, {"lessThanOrEqual": "20.0.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "vaadin-checkbox-flow", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.2.0", "versionType": "custom"}, {"lessThan": "2.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom"}, {"lessThan": "3.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThanOrEqual": "4.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.5.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.7", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "18.0.0", "versionType": "custom"}, {"lessThanOrEqual": "20.0.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-08-25T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-25T12:12:41.000Z", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vaadin/flow-components/pull/1903"}], "source": {"discovery": "INTERNAL"}, "title": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2021-08-25T11:46:00.000Z", "ID": "CVE-2021-33605", "STATE": "PUBLIC", "TITLE": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"version_affected": ">=", "version_value": "12.0.0"}, {"version_affected": "<", "version_value": "14.0.0"}, {"version_affected": ">=", "version_value": "14.0.0"}, {"version_affected": "<", "version_value": "14.5.0"}, {"version_affected": ">=", "version_value": "15.0.0"}, {"version_affected": "<=", "version_value": "17.0.11"}, {"version_affected": ">=", "version_value": "14.5.0"}, {"version_affected": "<=", "version_value": "14.6.7"}, {"version_affected": ">=", "version_value": "18.0.0"}, {"version_affected": "<=", "version_value": "20.0.5"}]}}, {"product_name": "vaadin-checkbox-flow", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.2.0"}, {"version_affected": "<", "version_value": "2.0.0"}, {"version_affected": ">=", "version_value": "2.0.0"}, {"version_affected": "<", "version_value": "3.0.0"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<=", "version_value": "4.0.1"}, {"version_affected": ">=", "version_value": "14.5.0"}, {"version_affected": "<=", "version_value": "14.6.7"}, {"version_affected": ">=", "version_value": "18.0.0"}, {"version_affected": "<=", "version_value": "20.0.5"}]}}]}, "vendor_name": "Vaadin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2021-33605", "refsource": "CONFIRM", "url": "https://vaadin.com/security/cve-2021-33605"}, {"name": "https://github.com/vaadin/flow-components/pull/1903", "refsource": "CONFIRM", "url": "https://github.com/vaadin/flow-components/pull/1903"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.245Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vaadin/flow-components/pull/1903"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2021-33605", "datePublished": "2021-08-25T12:12:41.760Z", "dateReserved": "2021-05-27T00:00:00.000Z", "dateUpdated": "2024-09-17T02:53:05.351Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "79D9299A-4A66-42E8-A044-FF9D9A559AC1", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6979479B-0708-439D-AC2F-62807ACA2B95", "versionEndExcluding": "14.0.0", "versionStartIncluding": "12.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AD0AABC-FA18-431F-862A-86BB888B9187", "versionEndExcluding": "3.0.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "F87F8662-9F8C-438A-A364-2F9BE35584B4", "versionEndExcluding": "14.5.0", "versionStartIncluding": "14.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "818D7592-155A-40AE-BDFF-0A2B03D8F15A", "versionEndExcluding": "4.0.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C540D0C-0B64-49FB-87B7-9D856C31154F", "versionEndExcluding": "17.0.11", "versionStartIncluding": "15.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E3BD92E-4CE4-45AB-9197-61E0DCE83A0E", "versionEndExcluding": "14.6.7", "versionStartIncluding": "14.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "001E8DD4-AAAF-4B6F-B46E-FECC92642B16", "versionEndExcluding": "14.6.7", "versionStartIncluding": "14.5.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "12EFCD71-0838-472D-BCF5-62839EB5D4FC", "versionEndExcluding": "20.0.5", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "70F531B2-ED8F-4157-82B6-A31F06A82F34", "versionEndExcluding": "20.0.5", "versionStartIncluding": "18.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}, {"lang": "es", "value": "Una comprobaci\u00f3n inapropiada en CheckboxGroup en las versiones: com.vaadin:vaadin-checkbox-flow 1.2.0 anterior a 2.0.0 (Vaadin 12.0.0 anterior a 14.0.0), 2.0.0 anterior a 3.0.0 (Vaadin 14.0.0 anterior a 14.5.0), 3.0.0 hasta 4.0.1 (Vaadin 15.0.0 hasta 17.0. 11), 14.5.0 hasta 14.6.7 (Vaadin 14.5.0 hasta 14.6.7), y 18.0.0 hasta 20.0.5 (Vaadin 18.0.0 hasta 20.0.5) permite a atacantes modificar el valor de un Checkbox deshabilitado dentro de un componente CheckboxGroup habilitado por medio de vectores no especificados."}], "id": "CVE-2021-33605", "lastModified": "2024-11-21T06:09:11.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-25T13:15:07.270", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow-components/pull/1903"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow-components/pull/1903"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-33605"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-754"}], "source": "nvd@nist.gov", "type": "Primary"}]}