admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Import old advisories

Browse Source
This commit is contained in:
Artem Godin 2021-04-16 15:55:34 +03:00
parent 1d128fc731
commit ebf9ad3fc8
12 changed files with 1606 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
2017/20xxx/CVE-2017-20003.json
View File

@ -4,14 +4,14 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2017-20003",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@vaadin.com",
"STATE": "REJECT"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none."
}
]
}

143
2018/25xxx/CVE-2018-25007.json
View File

@ -2,17 +2,138 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2018-25007",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2018-25007",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2018-11-29T09:17:00.000Z",
"TITLE": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "10.0.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "11.0.2",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "1.0.5",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2018-25007",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/4774",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"baseScore": 2.6,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

155
2019/25xxx/CVE-2019-25027.json
View File

@ -2,17 +2,150 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25027",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2019-25027",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-05-27T08:17:00.000Z",
"TITLE": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "10.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "13.0.5",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "1.0.10",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "1.4.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-81 Improper Neutralization of Script in an Error Message Web Page"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2019-25027",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/5498",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

165
2019/25xxx/CVE-2019-25028.json
View File

@ -2,17 +2,160 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2019-25028",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2019-25028",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2019-07-04T08:17:00.000Z",
"TITLE": "Stored cross-site scripting in Grid component in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "USER"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "8.8.4",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.4.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.19",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "8.8.4",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2019-25028",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/11644",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/11645",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by MATE Marketing Technologie"
}
]
}

141
2020/36xxx/CVE-2020-36319.json
View File

@ -2,17 +2,136 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36319",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-36319",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-04-21T08:17:00.000Z",
"TITLE": "Potential sensitive data exposure in applications using Vaadin 15",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "15.0.4",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "3.0.5",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36319",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/8016",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/8051",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"baseScore": 3.1,
"baseSeverity": "LOW"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Christian Knoop (https://github.com/knoobie)."
}
]
}

136
2020/36xxx/CVE-2020-36320.json
View File

@ -2,17 +2,131 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36320",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-36320",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-10-08T08:17:00.000Z",
"TITLE": "Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.21",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.21",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36320",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/issues/7757",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12104",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

155
2020/36xxx/CVE-2020-36321.json
View File

@ -2,17 +2,150 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-36321",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-36321",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2020-11-26T09:17:00.000Z",
"TITLE": "Directory traversal in development mode handler in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "14.4.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "18.0.0",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "2.4.1",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "<",
"version_value": "5.0.0",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 through 17) allows attacker to request arbitrary files stored outside of intended frontend resources folder."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2020-36321",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/9392",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

165
2021/31xxx/CVE-2021-31403.json
View File

@ -2,17 +2,160 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31403",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31403",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-12T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.23",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "8.12.2",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "7.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "7.7.21",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "8.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "8.12.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack"
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31403",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12190",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/framework/pull/12188",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}

184
2021/31xxx/CVE-2021-31404.json
View File

@ -2,17 +2,179 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31404",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31404",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-02-17T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "10.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "10.0.16",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "11.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "14.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "18.0.5",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "1.0.13",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.1.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "2.4.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "5.0.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 through 13), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 through 17), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31404",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/9875",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}

155
2021/31xxx/CVE-2021-31405.json
View File

@ -2,17 +2,150 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31405",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31405",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-11T09:17:00.000Z",
"TITLE": "Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "14.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "14.4.3",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "17.0.10",
"platform": ""
}
]
}
},
{
"product_name": "vaadin-text-field-flow",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "2.0.4",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "2.3.2",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "4.0.2",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31405",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow-components/pull/442",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}

160
2021/31xxx/CVE-2021-31406.json
View File

@ -2,17 +2,155 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31406",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31406",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-19T09:17:00.000Z",
"TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "15.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "18.0.6",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>=",
"version_value": "19.0.1",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "3.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "5.0.3",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>=",
"version_value": "6.0.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208 Information Exposure Through Timing Discrepancy"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31406",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10157",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"baseScore": 4,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and responsibly reported by Xhelal Likaj."
}
]
}

165
2021/31xxx/CVE-2021-31407.json
View File

@ -2,17 +2,160 @@
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2021-31407",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-31407",
"ASSIGNER": "security@vaadin.com",
"DATE_PUBLIC": "2021-03-29T08:17:00.000Z",
"TITLE": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [],
"advisory": "",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Vaadin",
"product": {
"product_data": [
{
"product_name": "Vaadin",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "12.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "14.4.9",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "19.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>=",
"version_value": "19.0.1",
"platform": ""
}
]
}
},
{
"product_name": "flow-server",
"version": {
"version_data": [
{
"version_name": "",
"version_affected": ">=",
"version_value": "1.2.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>",
"version_value": "2.4.7",
"platform": ""
},
{
"version_name": "",
"version_affected": ">=",
"version_value": "6.0.0",
"platform": ""
},
{
"version_name": "",
"version_affected": "!>=",
"version_value": "6.0.1",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://vaadin.com/security/cve-2021-31407",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/osgi/issues/50",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10229",
"name": ""
},
{
"refsource": "CONFIRM",
"url": "https://github.com/vaadin/flow/pull/10269",
"name": ""
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
},
"exploit": [],
"work_around": [],
"solution": [],
"credit": []
}