Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
CVE-2021-31412

5.3MEDIUM

Key Information:

Vendor: Vaadin
Status: Vaadin; Flow-server
Vendor: CVE Published:; 24 June 2021

What is CVE-2021-31412?

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

flow-server 1.0.0

flow-server <= 1.0.14

flow-server 1.1.0

References

https://vaadin.com/security/cve-2021-31412

x_refsource_CONFIRM

https://github.com/vaadin/flow/pull/11107

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 24, 2021
Vulnerability Reserved
Apr 15, 2021

JSON

Vaadin

What is CVE-2021-31412?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.