Lucene search

[email protected]NVD:CVE-2018-25007

HistoryApr 23, 2021 - 4:15 p.m.

CVE-2018-25007

2021-04-2316:15:07

CWE-754

[email protected]

web.nvd.nist.gov

cve-2018-25007

vaadin 10.0.0

vaadin 10.0.7

vaadin 11.0.0

vaadin 11.0.2

uidl request handler

synchronization message crafted

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

Affected configurations

Nvd

Node

vaadinflowRange1.0.0–1.0.6

vaadinvaadinRange10.0.0–10.0.8

vaadinvaadinRange11.0.0–11.0.3

VendorProductVersionCPE
vaadinflow*cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*
vaadinvaadin*cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vaadin	flow	*	cpe:2.3:a:vaadin:flow::::::::
vaadin	vaadin	*	cpe:2.3:a:vaadin:vaadin::::::::

References

github.com/vaadin/flow/pull/4774

vaadin.com/security/cve-2018-25007

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

Related for NVD:CVE-2018-25007

cve1 osv3 vaadin1 veracode1 github2 prion1 cvelist1