CVE-2021-33604

Published Jun 24, 2021

Last updated 3 years ago

CVSS low 2.5

Overview

Description: URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Source: security@vaadin.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 2.5
Impact score: 1.4
Exploitability score: 1
Vector string: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Severity: LOW

CVSS 2.0

Type: Primary
Base score: 1.2
Impact score: 2.9
Exploitability score: 1.9
Vector string: AV:L/AC:H/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: NVD-CWE-Other
security@vaadin.com: CWE-172

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFD551C5-B7BB-45F2-BBDD-B7181E18B3E0",
            "versionEndIncluding": "2.6.1",
            "versionStartIncluding": "2.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FEF29305-886B-45FA-A98D-B9C2524B4891",
            "versionEndIncluding": "5.0.0",
            "versionStartIncluding": "3.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:flow-server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB09AE9F-4900-4A18-8071-A5B0E713335F",
            "versionEndIncluding": "6.0.9",
            "versionStartIncluding": "6.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4367271F-BC87-4C32-BBFC-F9F97ACD2D33",
            "versionEndIncluding": "14.6.1",
            "versionStartIncluding": "14.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC99FEC9-DABA-4E7E-AA04-67146840B360",
            "versionEndIncluding": "18.0.0",
            "versionStartIncluding": "15.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64FCA0F3-0104-490C-B8CA-860B52BCAC29",
            "versionEndIncluding": "19.0.8",
            "versionStartIncluding": "19.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References