[MAVEN:GHSA-J9WR-49VQ-RM5G] Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Severity High

Affected Packages 2

Fixed Packages 2

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

https://vaadin.com/security/cve-2021-31407

Package	Affected Version
pkg:maven/com.vaadin/vaadin-bom	= 19.0.0
pkg:maven/com.vaadin/vaadin-bom	>= 12.0.0, < 14.4.10

Package	Fixed Version
pkg:maven/com.vaadin/vaadin-bom	= 19.0.1
pkg:maven/com.vaadin/vaadin-bom	= 14.4.10

ID: MAVEN:GHSA-J9WR-49VQ-RM5G
Severity: high
URL: https://github.com/advisories/GHSA-j9wr-49vq-rm5g
Published: 2021-04-19T14:46:49
(3 years ago)
Modified: 2023-01-09T05:04:27
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/vaadin/platform/security/advisories/GHSA-j9wr-49vq-rm5g
			https://vaadin.com/security/cve-2021-31407
			https://github.com/advisories/GHSA-j9wr-49vq-rm5g

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/com.vaadin/vaadin-bom	com.vaadin	vaadin-bom	= 19.0.0
Fixed	pkg:maven/com.vaadin/vaadin-bom	com.vaadin	vaadin-bom	= 19.0.1
Affected	pkg:maven/com.vaadin/vaadin-bom	com.vaadin	vaadin-bom	>= 12.0.0 < 14.4.10
Fixed	pkg:maven/com.vaadin/vaadin-bom	com.vaadin	vaadin-bom	= 14.4.10