admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-19 17:32:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2021-04-23 17:00:52 +00:00
parent 50b3d52ff0
commit ca2bd369f9
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
19 changed files with 1963 additions and 1765 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2017/20xxx/CVE-2017-20003.json
View File

@ -4,7 +4,7 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2017-20003",
"ASSIGNER": "security@vaadin.com",
"ASSIGNER": "cve@mitre.org",
"STATE": "REJECT"
},
"description": {

262
2018/25xxx/CVE-2018-25007.json
View File

@ -1,137 +1,139 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2018-25007",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "11.0.2",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2018-25007",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "11.0.2",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.5",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.5",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2018-25007"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/4774"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"baseScore": 2.6,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2018-25007",
"name": "https://vaadin.com/security/cve-2018-25007"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/4774",
"name": "https://github.com/vaadin/flow/pull/4774"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"baseScore": 2.6,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

286
2019/25xxx/CVE-2019-25027.json
View File

@ -1,149 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25027",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "13.0.5",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25027",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "13.0.5",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.10",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.4.2",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.10",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.4.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
]
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2019-25027"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/5498"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25027",
"name": "https://vaadin.com/security/cve-2019-25027"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/5498",
"name": "https://github.com/vaadin/flow/pull/5498"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

303
2019/25xxx/CVE-2019-25028.json
View File

@ -1,158 +1,161 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25028",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-07-04T08:17:00.000Z",
"TITLE": "Stored cross-site scripting in Grid component in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "USER"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.8.4",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25028",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-07-04T08:17:00.000Z",
"TITLE": "Stored cross-site scripting in Grid component in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "USER"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.8.4",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.8.4",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.8.4",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2019-25028",
"name": "https://vaadin.com/security/cve-2019-25028"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/11644",
"name": "https://github.com/vaadin/framework/pull/11644"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/11645",
"name": "https://github.com/vaadin/framework/pull/11645"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by MATE Marketing Technologie"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2019-25028"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/11645"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by MATE Marketing Technologie"
}
]
}

5
2020/27xxx/CVE-2020-27216.json
View File

@ -640,6 +640,11 @@
"refsource": "MLIST",
"name": "[beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216",
"url": "https://lists.apache.org/thread.html/r77dd041d8025a869156481d2268c67ad17121f64e31f9b4a1a220145@%3Cissues.beam.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216",
"url": "https://lists.apache.org/thread.html/r171846414347ec5fed38241a9f8a009bd2c89d902154c6102b1fb39a@%3Cissues.beam.apache.org%3E"
}
]
}

255
2020/36xxx/CVE-2020-36319.json
View File

@ -1,134 +1,137 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36319",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "15.0.4",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36319",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "15.0.4",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "3.0.5",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "3.0.5",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36319",
"name": "https://vaadin.com/security/cve-2020-36319"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8016",
"name": "https://github.com/vaadin/flow/pull/8016"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/8051",
"name": "https://github.com/vaadin/flow/pull/8051"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"baseScore": 3.1,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36319"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/8016"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/8051"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"baseScore": 3.1,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
]
}

247
2020/36xxx/CVE-2020-36320.json
View File

@ -1,129 +1,132 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36320",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-10-08T08:17:00.000Z",
"TITLE": "Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36320",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-10-08T08:17:00.000Z",
"TITLE": "Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36320"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/issues/7757"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12104"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36320",
"name": "https://vaadin.com/security/cve-2020-36320"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/issues/7757",
"name": "https://github.com/vaadin/framework/issues/7757"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12104",
"name": "https://github.com/vaadin/framework/pull/12104"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

242
2020/36xxx/CVE-2020-36321.json
View File

@ -3,147 +3,149 @@
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36321",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
"ID": "CVE-2020-36321",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
"vendor": {
"vendor_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "18.0.0",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.1",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "5.0.0",
"platform": ""
}
]
}
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "18.0.0",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.1",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "5.0.0",
"platform": ""
}
]
}
}
]
}
}
]
}
}
]
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
"problemtype_data": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
}
]
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36321"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/9392"
}
]
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2020-36321",
"name": "https://vaadin.com/security/cve-2020-36321"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9392",
"name": "https://github.com/vaadin/flow/pull/9392"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
}
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}
}

65
2021/22xxx/CVE-2021-22893.json
View File

@ -4,14 +4,73 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-22893",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "PCS 9.0R3 or above, PCS 9.1R1 and above"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication - Generic (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/"
},
{
"refsource": "MISC",
"name": "https://blog.pulsesecure.net/pulse-connect-secure-security-update/",
"url": "https://blog.pulsesecure.net/pulse-connect-secure-security-update/"
},
{
"refsource": "MISC",
"name": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
},
{
"refsource": "MISC",
"name": "https://kb.cert.org/vuls/id/213092",
"url": "https://kb.cert.org/vuls/id/213092"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild."
}
]
}

5
2021/23xxx/CVE-2021-23336.json
View File

@ -199,6 +199,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
},
{
"refsource": "FEDORA",
"name": "FEDORA-2021-b6b6093b3a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
}
]
},

259
2021/31xxx/CVE-2021-31403.json
View File

@ -3,156 +3,159 @@
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31403",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-12T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
"ID": "CVE-2021-31403",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-12T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
"vendor": {
"vendor_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.23",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.12.2",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.12.2",
"platform": ""
}
]
}
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.23",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.12.2",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "7.7.21",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "8.12.2",
"platform": ""
}
]
}
}
]
}
}
]
}
}
]
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
"problemtype_data": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
}
]
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
}
]
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31403"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12190"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12188"
}
]
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31403",
"name": "https://vaadin.com/security/cve-2021-31403"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12190",
"name": "https://github.com/vaadin/framework/pull/12190"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/framework/pull/12188",
"name": "https://github.com/vaadin/framework/pull/12188"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}
}

438
2021/31xxx/CVE-2021-31404.json
View File

@ -1,226 +1,228 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31404",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.16",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "18.0.5",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31404",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "10.0.16",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "18.0.5",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "5.0.2",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "1.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "5.0.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31404",
"name": "https://vaadin.com/security/cve-2021-31404"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/9875",
"name": "https://github.com/vaadin/flow/pull/9875"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31404"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/9875"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}

286
2021/31xxx/CVE-2021-31405.json
View File

@ -1,149 +1,151 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31405",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.3",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "17.0.10",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31405",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.3",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "17.0.10",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.4",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.3.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "4.0.2",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.4",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.3.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "4.0.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31405"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow-components/pull/442"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31405",
"name": "https://vaadin.com/security/cve-2021-31405"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow-components/pull/442",
"name": "https://github.com/vaadin/flow-components/pull/442"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

270
2021/31xxx/CVE-2021-31406.json
View File

@ -1,142 +1,144 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31406",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "18.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "19.0.0",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31406",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "18.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "19.0.0",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "5.0.3",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "6.0.0",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "5.0.3",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "6.0.0",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31406",
"name": "https://vaadin.com/security/cve-2021-31406"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10157",
"name": "https://github.com/vaadin/flow/pull/10157"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31406"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10157"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}

292
2021/31xxx/CVE-2021-31407.json
View File

@ -1,151 +1,155 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31407",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "12.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.9",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "19.0.0",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31407",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "12.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "14.4.9",
"platform": ""
},
{
"version_name": "",
"version_affected": "=",
"version_value": "19.0.0",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.2.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "6.0.1",
"platform": ""
}
]
}
}
]
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.2.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "2.4.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "6.0.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')"
}
]
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31407"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31407",
"name": "https://vaadin.com/security/cve-2021-31407"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/osgi/issues/50",
"name": "https://github.com/vaadin/osgi/issues/50"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10229",
"name": "https://github.com/vaadin/flow/pull/10229"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10269",
"name": "https://github.com/vaadin/flow/pull/10269"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

242
2021/31xxx/CVE-2021-31408.json
View File

@ -3,147 +3,149 @@
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31408",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-20T08:17:00.000Z",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"AKA": "",
"STATE": "PUBLIC"
"ID": "CVE-2021-31408",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-20T08:17:00.000Z",
"TITLE": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
"vendor": {
"vendor_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "19.0.3",
"platform": ""
}
]
}
},
{
"product_name": "flow-client",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "6.0.4",
"platform": ""
}
]
}
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "18.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "19.0.3",
"platform": ""
}
]
}
},
{
"product_name": "flow-client",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "5.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "6.0.4",
"platform": ""
}
]
}
}
]
}
}
]
}
}
]
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
"problemtype_data": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
}
]
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
]
"description_data": [
{
"lang": "eng",
"value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31408"
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10577"
}
]
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31408",
"name": "https://vaadin.com/security/cve-2021-31408"
},
{
"refsource": "MISC",
"url": "https://github.com/vaadin/flow/pull/10577",
"name": "https://github.com/vaadin/flow/pull/10577"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}
}

147
2021/31xxx/CVE-2021-31410.json
View File

@ -3,100 +3,101 @@
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31410",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-22T12:29:00.000Z",
"TITLE": "Project sources exposure in Vaadin Designer",
"AKA": "",
"STATE": "PUBLIC"
"ID": "CVE-2021-31410",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-04-22T12:29:00.000Z",
"TITLE": "Project sources exposure in Vaadin Designer",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
"vendor": {
"vendor_data": [
{
"product_name": "Designer",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "4.3.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "4.6.3",
"platform": ""
}
]
}
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Designer",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "4.3.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<=",
"version_value": "4.6.3",
"platform": ""
}
]
}
}
]
}
}
]
}
}
]
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
"problemtype_data": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')"
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')"
}
]
}
]
}
]
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request."
}
]
"description_data": [
{
"lang": "eng",
"value": "Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31410"
}
]
"reference_data": [
{
"refsource": "MISC",
"url": "https://vaadin.com/security/cve-2021-31410",
"name": "https://vaadin.com/security/cve-2021-31410"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}
}

61
2021/31xxx/CVE-2021-31539.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-31539",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31539",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.wowza.com/products/streaming-engine",
"refsource": "MISC",
"name": "https://www.wowza.com/products/streaming-engine"
},
{
"refsource": "MISC",
"name": "https://www.gruppotim.it/redteam",
"url": "https://www.gruppotim.it/redteam"
}
]
}

61
2021/31xxx/CVE-2021-31540.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-31540",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31540",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.wowza.com/products/streaming-engine",
"refsource": "MISC",
"name": "https://www.wowza.com/products/streaming-engine"
},
{
"refsource": "MISC",
"name": "https://www.gruppotim.it/redteam",
"url": "https://www.gruppotim.it/redteam"
}
]
}