Lucene search

VaadinCVE-2021-33605

HistoryAug 25, 2021 - 1:15 p.m.

CVE-2021-33605

2021-08-2513:15:07

CWE-754

Vaadin

web.nvd.nist.gov

cve-2021-33605

checkboxgroup

com.vaadin

vaadin-checkbox-flow

information security

vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.

Affected configurations

Nvd

Node

vaadinvaadin-checkbox-flowRange1.2.0–2.0.0

AND

vaadinvaadinRange12.0.0–14.0.0

Node

vaadinvaadin-checkbox-flowRange2.0.0–3.0.0

AND

vaadinvaadinRange14.0.0–14.5.0

Node

vaadinvaadin-checkbox-flowRange3.0.0–4.0.1

AND

vaadinvaadinRange15.0.0–17.0.11

Node

vaadinvaadin-checkbox-flowRange14.5.0–14.6.7

AND

vaadinvaadinRange14.5.0–14.6.7

Node

vaadinvaadin-checkbox-flowRange18.0.0–20.0.5

AND

vaadinvaadinRange18.0.0–20.0.5

VendorProductVersionCPE
vaadinvaadin-checkbox-flow*cpe:2.3:a:vaadin:vaadin-checkbox-flow:*:*:*:*:*:*:*:*
vaadinvaadin*cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vaadin	vaadin-checkbox-flow	*	cpe:2.3:a:vaadin:vaadin-checkbox-flow::::::::
vaadin	vaadin	*	cpe:2.3:a:vaadin:vaadin::::::::

CNA Affected

[
  {
    "product": "Vaadin",
    "vendor": "Vaadin",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "12.0.0",
        "versionType": "custom"
      },
      {
        "lessThan": "14.0.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "14.0.0",
        "versionType": "custom"
      },
      {
        "lessThan": "14.5.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "15.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "17.0.11",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "14.5.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "14.6.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "18.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "20.0.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "vaadin-checkbox-flow",
    "vendor": "Vaadin",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "1.2.0",
        "versionType": "custom"
      },
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      },
      {
        "lessThan": "3.0.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.0.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "14.5.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "14.6.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "18.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "20.0.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/vaadin/flow-components/pull/1903

vaadin.com/security/cve-2021-33605

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

Related for CVE-2021-33605