All vulnerability reports

Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19

Severity:
Medium (Base score 5.3) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE entry:
CVE-2021-31412

Overview

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

See CWE-1295: Debug Messages Revealing Unnecessary Information

Description

The vulnerability exposes a list of all the registered route paths of the application, even in production mode, in case the application is using the default RouteNotFoundError view instead of providing their own error view. Exposed route list allows threat actors to refine attack surface and perform targeted scanning of views. In the worst case can it can even reveal insecure views that are intended for internal use and are missing proper access control checks or other security measures.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 10.0.0 - 10.0.18 Upgrade to 10.0.19 or newer 10 version
Vaadin 11 - 13 No longer supported. Upgrade to 14.6.2 or newer version
Vaadin 14.0.0 - 14.6.1 Upgrade to 14.6.2 or newer 14 version
Vaadin 15 - 18 No longer supported. Upgrade to 19.0.9 or newer version
Vaadin 19.0.0 - 19.0.8 Upgrade to 19.0.9 or newer 19 version

Please note that Vaadin versions 11-13 and 15-18 are no longer supported and you should update either to the latest 14 or 19 version respectively.

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 1.0.0 - 1.0.14 ≥ 1.0.15
com.vaadin:flow-server 1.1 - 1.4 N/A
com.vaadin:flow-server 2.0.0 - 2.6.1 ≥ 2.6.2
com.vaadin:flow-server 3.0 - 5.0 N/A
com.vaadin:flow-server 6.0.0 - 6.0.9 ≥ 6.0.10

References

History

  • 2021-06-24: Initial vulnerability report published