CVE-2021-33605 - Vulnerability Details - OpenCVE

Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00336.

Key SSVC decision points have not yet been added.

Vendors	Products
Vaadin	Vaadin Vaadin-checkbox-flow

Configuration 1 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-1840	Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.
Github GHSA	GHSA-qcc4-3rxf-gf4m	Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/vaadin/flow-components/pull/1903
https://vaadin.com/security/cve-2021-33605

History

No history.

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2021-08-25T12:12:41.760458Z

Updated: 2024-09-17T02:53:05.351Z

Reserved: 2021-05-27T00:00:00

Link: CVE-2021-33605

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-25T13:15:07.270

Modified: 2024-11-21T06:09:11.323

Link: CVE-2021-33605

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "12.0.0", "versionType": "custom"}, {"lessThan": "14.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.0.0", "versionType": "custom"}, {"lessThan": "14.5.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "15.0.0", "versionType": "custom"}, {"lessThanOrEqual": "17.0.11", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.5.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.7", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "18.0.0", "versionType": "custom"}, {"lessThanOrEqual": "20.0.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "vaadin-checkbox-flow", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.2.0", "versionType": "custom"}, {"lessThan": "2.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom"}, {"lessThan": "3.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThanOrEqual": "4.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.5.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.7", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "18.0.0", "versionType": "custom"}, {"lessThanOrEqual": "20.0.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-08-25T00:00:00", "descriptions": [{"lang": "en", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-25T12:12:41", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vaadin/flow-components/pull/1903"}], "source": {"discovery": "INTERNAL"}, "title": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2021-08-25T11:46:00.000Z", "ID": "CVE-2021-33605", "STATE": "PUBLIC", "TITLE": "Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"version_affected": ">=", "version_value": "12.0.0"}, {"version_affected": "<", "version_value": "14.0.0"}, {"version_affected": ">=", "version_value": "14.0.0"}, {"version_affected": "<", "version_value": "14.5.0"}, {"version_affected": ">=", "version_value": "15.0.0"}, {"version_affected": "<=", "version_value": "17.0.11"}, {"version_affected": ">=", "version_value": "14.5.0"}, {"version_affected": "<=", "version_value": "14.6.7"}, {"version_affected": ">=", "version_value": "18.0.0"}, {"version_affected": "<=", "version_value": "20.0.5"}]}}, {"product_name": "vaadin-checkbox-flow", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.2.0"}, {"version_affected": "<", "version_value": "2.0.0"}, {"version_affected": ">=", "version_value": "2.0.0"}, {"version_affected": "<", "version_value": "3.0.0"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<=", "version_value": "4.0.1"}, {"version_affected": ">=", "version_value": "14.5.0"}, {"version_affected": "<=", "version_value": "14.6.7"}, {"version_affected": ">=", "version_value": "18.0.0"}, {"version_affected": "<=", "version_value": "20.0.5"}]}}]}, "vendor_name": "Vaadin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2021-33605", "refsource": "CONFIRM", "url": "https://vaadin.com/security/cve-2021-33605"}, {"name": "https://github.com/vaadin/flow-components/pull/1903", "refsource": "CONFIRM", "url": "https://github.com/vaadin/flow-components/pull/1903"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.245Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vaadin/flow-components/pull/1903"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2021-33605", "datePublished": "2021-08-25T12:12:41.760458Z", "dateReserved": "2021-05-27T00:00:00", "dateUpdated": "2024-09-17T02:53:05.351Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "79D9299A-4A66-42E8-A044-FF9D9A559AC1", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6979479B-0708-439D-AC2F-62807ACA2B95", "versionEndExcluding": "14.0.0", "versionStartIncluding": "12.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AD0AABC-FA18-431F-862A-86BB888B9187", "versionEndExcluding": "3.0.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "F87F8662-9F8C-438A-A364-2F9BE35584B4", "versionEndExcluding": "14.5.0", "versionStartIncluding": "14.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "818D7592-155A-40AE-BDFF-0A2B03D8F15A", "versionEndExcluding": "4.0.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C540D0C-0B64-49FB-87B7-9D856C31154F", "versionEndExcluding": "17.0.11", "versionStartIncluding": "15.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E3BD92E-4CE4-45AB-9197-61E0DCE83A0E", "versionEndExcluding": "14.6.7", "versionStartIncluding": "14.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "001E8DD4-AAAF-4B6F-B46E-FECC92642B16", "versionEndExcluding": "14.6.7", "versionStartIncluding": "14.5.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "12EFCD71-0838-472D-BCF5-62839EB5D4FC", "versionEndExcluding": "20.0.5", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "70F531B2-ED8F-4157-82B6-A31F06A82F34", "versionEndExcluding": "20.0.5", "versionStartIncluding": "18.0.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors."}, {"lang": "es", "value": "Una comprobaci\u00f3n inapropiada en CheckboxGroup en las versiones: com.vaadin:vaadin-checkbox-flow 1.2.0 anterior a 2.0.0 (Vaadin 12.0.0 anterior a 14.0.0), 2.0.0 anterior a 3.0.0 (Vaadin 14.0.0 anterior a 14.5.0), 3.0.0 hasta 4.0.1 (Vaadin 15.0.0 hasta 17.0. 11), 14.5.0 hasta 14.6.7 (Vaadin 14.5.0 hasta 14.6.7), y 18.0.0 hasta 20.0.5 (Vaadin 18.0.0 hasta 20.0.5) permite a atacantes modificar el valor de un Checkbox deshabilitado dentro de un componente CheckboxGroup habilitado por medio de vectores no especificados."}], "id": "CVE-2021-33605", "lastModified": "2024-11-21T06:09:11.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-25T13:15:07.270", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow-components/pull/1903"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-33605"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow-components/pull/1903"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-33605"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-754"}], "source": "nvd@nist.gov", "type": "Primary"}]}