5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.7%
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. See CWE-400: Uncontrolled Resource Consumption Description Regular expression used on server side to validate input of email fields (com.vaadin.data.validator.EmailValidator) is subjected to exponential backtracking, which may result in unbound resource consumption and denial of service. To perform such an attack it is enough to enter a malicious email address into any email field and submit a value to the server for validation (it happens automatically when the field is blurred). UI thread of the server can spend an indefinite amount of time (depending on the input) matching this email address to a validation pattern. By repeating this action the attacker may cause thread pool or resource exhaustion, thus making the application unresponsive for normal users. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 7.0.0 - 7.7.21 Upgrade to 7.7.22 or newer 7 version (Vaadin 7 extended maintenance) Please note that updating to Vaadin 7 is only available to extended-support customers. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:vaadin-server 7.0.0 - 7.7.21 ≥ 7.7.22 References Reference: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS Issue: https://github.com/vaadin/framework/issues/7757 PR: https://github.com/vaadin/framework/pull/12104
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.7%