Lucene search

K
vaadinVaadinVAADIN:CVE-2021-31407
HistoryMar 29, 2021 - 12:00 a.m.

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

2021-03-2900:00:00
vaadin.com
3

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

65.1%

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request. See CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) Description This vulnerability only applies to Vaadin OSGi applications in the aforementioned versions. The vulnerability is the outcome of the combination of the default behavior of the Http Whiteboard specification in OSGi and the static resources handling of VaadinServlet: The HTTP Whiteboard specification in OSGi works in a way that all resources inside a bundle/jar are available via the ServletContext class for any Servlet that is registered inside that bundle/jar. This is expected behavior of the Http Whiteboard specification in OSGi. The VaadinServlet class exposes all resources available in the ServletContext to be accessed via HTTP (by actions of class StaticFileServer). When a VaadinServlet is registered using the Http Whiteboard, it by default exposes all resources available in the ServletContext of the bundle/jar to be accessible via the browser, as long as the request directly comes for the exact URL of the resource. This only applies to the resources within the same bundle as the servlet - resources from other bundles are not accessible as those are not exposed via ServletContext by Http Whiteboard. In non-OSGi Vaadin applications, the ServletContext does not provide access to resources similarly as is done with Vaadin OSGi applications. In practice this means that any Java class or a static resource that is part of the same bundle as the registered servlet can be requested from the browser by using the correct request URL corresponding to that resource. To exploit the vulnerability, one has to, by minimum, know an entry point to the system that might provide further information on the resources that are accessible. To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.One can test if their Vaadin OSGi application is affected by trying to access class files or static resources via the browser. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 12 - 13 No longer supported. Upgrade to 14.4.10 or newer 14 version Vaadin 14.0.0 - 14.4.9 Upgrade to 14.4.10 or newer 14 version Vaadin 19.0.0 Upgrade to 19.0.1 or newer 19 version Please note that Vaadin versions 12-13 are no longer supported and you should update to the latest 14 version. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 1.2.0 - 2.4.7 ≥ 2.4.8 com.vaadin:flow-server 6.0.0 - 6.0.1 ≥ 6.0.2 References Issue: https://github.com/vaadin/osgi/issues/50 PR: https://github.com/vaadin/flow/pull/10229 PR: https://github.com/vaadin/flow/pull/10269

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

65.1%

Related for VAADIN:CVE-2021-31407