{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "10.0.0", "versionType": "custom"}, {"lessThanOrEqual": "10.0.18", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"lessThan": "14.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "14.0.0", "versionType": "custom"}, {"lessThanOrEqual": "14.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "15.0.0", "versionType": "custom"}, {"lessThanOrEqual": "19.0.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "flow-server", "vendor": "Vaadin", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.0.0", "versionType": "custom"}, {"lessThanOrEqual": "1.0.14", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.1.0", "versionType": "custom"}, {"lessThan": "2.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom"}, {"lessThanOrEqual": "2.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThanOrEqual": "6.0.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1295", "description": "CWE-1295 Debug Messages Revealing Unnecessary Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-24T11:33:10", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://vaadin.com/security/cve-2021-31412"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vaadin/flow/pull/11107"}], "source": {"discovery": "INTERNAL"}, "title": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2021-06-24T09:31:00.000Z", "ID": "CVE-2021-31412", "STATE": "PUBLIC", "TITLE": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"version_affected": ">=", "version_value": "10.0.0"}, {"version_affected": "<=", "version_value": "10.0.18"}, {"version_affected": ">=", "version_value": "11.0.0"}, {"version_affected": "<", "version_value": "14.0.0"}, {"version_affected": ">=", "version_value": "14.0.0"}, {"version_affected": "<=", "version_value": "14.6.1"}, {"version_affected": ">=", "version_value": "15.0.0"}, {"version_affected": "<=", "version_value": "19.0.8"}]}}, {"product_name": "flow-server", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.0.0"}, {"version_affected": "<=", "version_value": "1.0.14"}, {"version_affected": ">=", "version_value": "1.1.0"}, {"version_affected": "<", "version_value": "2.0.0"}, {"version_affected": ">=", "version_value": "2.0.0"}, {"version_affected": "<=", "version_value": "2.6.1"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<=", "version_value": "6.0.9"}]}}]}, "vendor_name": "Vaadin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1295 Debug Messages Revealing Unnecessary Information"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2021-31412", "refsource": "CONFIRM", "url": "https://vaadin.com/security/cve-2021-31412"}, {"name": "https://github.com/vaadin/flow/pull/11107", "refsource": "CONFIRM", "url": "https://github.com/vaadin/flow/pull/11107"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.804Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://vaadin.com/security/cve-2021-31412"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vaadin/flow/pull/11107"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2021-31412", "datePublished": "2021-06-24T11:33:10.535178Z", "dateReserved": "2021-04-15T00:00:00", "dateUpdated": "2024-09-16T16:18:47.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "08B5A131-071A-4AEC-9F0B-8BF6D38DC85C", "versionEndIncluding": "1.0.14", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F232EDE-AF65-4AA2-846E-3C7A34DA8928", "versionEndIncluding": "1.4.0", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAF9CA63-A40E-474E-9BE9-8A86A1C2B129", "versionEndIncluding": "2.6.1", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CA90E82-620F-46C0-AB1F-05804328BB54", "versionEndIncluding": "5.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1551D996-DB49-4E39-9423-BD3CBA2029FA", "versionEndIncluding": "6.0.9", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AAF5648-26F2-4D08-838B-3B3C2E0954D2", "versionEndIncluding": "10.0.18", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "85960C27-DA5B-4215-9C34-4789F32EF260", "versionEndIncluding": "13.0.0", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33", "versionEndIncluding": "14.6.1", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360", "versionEndIncluding": "18.0.0", "versionStartIncluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29", "versionEndIncluding": "19.0.8", "versionStartIncluding": "19.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided."}, {"lang": "es", "value": "Un saneamiento inapropiado de la ruta en la vista RouteNotFoundError predeterminada en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.14 (Vaadin versiones 10.0.0 hasta 10.0.18), versiones 1.1.0 anteriores a 2.0.0 (Vaadin versiones 11 anterior a 14), versiones 2.0.0 hasta 2.6.1 (Vaadin versiones 14.0.0 hasta 14. 6.1), y versiones 3.0.0 hasta 6.0.9 (Vaadin versiones 15.0.0 hasta 19.0.8) permite a un atacante de red enumerar todas las rutas disponibles por medio de una petici\u00f3n HTTP dise\u00f1ada cuando la aplicaci\u00f3n se ejecuta en modo de producci\u00f3n y un controlador personalizado para o NotFoundException es proporcionado"}], "id": "CVE-2021-31412", "lastModified": "2024-11-21T06:05:37.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-24T12:15:08.090", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/11107"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-31412"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/11107"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-31412"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1295"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}