Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/com.vaadin/flow-server@1.0.0

Type maven

Namespace com.vaadin

Name flow-server

Version 1.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.0.15

Latest_non_vulnerable_version 25.0.2

Affected_by_vulnerabilities

url VCID-kkf3-sqmf-f3ft

vulnerability_id VCID-kkf3-sqmf-f3ft

summary

Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.

references

reference_url	https://vaadin.com/security/cve-2021-31412
reference_id	CVE-2021-31412
reference_type
scores
url	https://vaadin.com/security/cve-2021-31412

reference_url	https://github.com/advisories/GHSA-fr26-qjc8-mvjx
reference_id	GHSA-fr26-qjc8-mvjx
reference_type
scores
url	https://github.com/advisories/GHSA-fr26-qjc8-mvjx

reference_url	https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx
reference_id	GHSA-fr26-qjc8-mvjx
reference_type
scores
url	https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx

fixed_packages

url	pkg:maven/com.vaadin/flow-server@1.0.15
purl	pkg:maven/com.vaadin/flow-server@1.0.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@1.0.15

url	pkg:maven/com.vaadin/flow-server@2.6.2
purl	pkg:maven/com.vaadin/flow-server@2.6.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.6.2

url	pkg:maven/com.vaadin/flow-server@6.0.10
purl	pkg:maven/com.vaadin/flow-server@6.0.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.10

aliases GHSA-fr26-qjc8-mvjx, GMS-2021-142

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kkf3-sqmf-f3ft

url VCID-qdgn-1rqg-vuae

vulnerability_id VCID-qdgn-1rqg-vuae

summary

Exposure of Sensitive Information to an Unauthorized Actor
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

references

reference_url	https://github.com/vaadin/flow/pull/15885
reference_id
reference_type
scores
url	https://github.com/vaadin/flow/pull/15885

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-25499
reference_id	CVE-2023-25499
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-25499

reference_url	https://vaadin.com/security/CVE-2023-25499
reference_id	CVE-2023-25499
reference_type
scores
url	https://vaadin.com/security/CVE-2023-25499

reference_url	https://github.com/advisories/GHSA-5f9v-mv5g-jh5q
reference_id	GHSA-5f9v-mv5g-jh5q
reference_type
scores
url	https://github.com/advisories/GHSA-5f9v-mv5g-jh5q

reference_url	https://github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5q
reference_id	GHSA-5f9v-mv5g-jh5q
reference_type
scores
url	https://github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5q

fixed_packages

url	pkg:maven/com.vaadin/flow-server@1.0.20
purl	pkg:maven/com.vaadin/flow-server@1.0.20
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@1.0.20

url	pkg:maven/com.vaadin/flow-server@2.8.10
purl	pkg:maven/com.vaadin/flow-server@2.8.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.8.10

url	pkg:maven/com.vaadin/flow-server@9.1.1
purl	pkg:maven/com.vaadin/flow-server@9.1.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@9.1.1

url	pkg:maven/com.vaadin/flow-server@23.3.11
purl	pkg:maven/com.vaadin/flow-server@23.3.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@23.3.11

url	pkg:maven/com.vaadin/flow-server@24.0.8
purl	pkg:maven/com.vaadin/flow-server@24.0.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.0.8

aliases CVE-2023-25499, GHSA-5f9v-mv5g-jh5q

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdgn-1rqg-vuae

url VCID-tfwa-kphb-j3b8

vulnerability_id VCID-tfwa-kphb-j3b8

summary

Exposure of Sensitive Information to an Unauthorized Actor
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

references

reference_url	https://github.com/vaadin/flow/pull/16935
reference_id
reference_type
scores
url	https://github.com/vaadin/flow/pull/16935

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-25500
reference_id	CVE-2023-25500
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-25500

reference_url	https://vaadin.com/security/cve-2023-25500
reference_id	CVE-2023-25500
reference_type
scores
url	https://vaadin.com/security/cve-2023-25500

reference_url	https://github.com/advisories/GHSA-ch48-9r3q-pv7x
reference_id	GHSA-ch48-9r3q-pv7x
reference_type
scores
url	https://github.com/advisories/GHSA-ch48-9r3q-pv7x

reference_url	https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
reference_id	GHSA-ch48-9r3q-pv7x
reference_type
scores
url	https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x

fixed_packages

url	pkg:maven/com.vaadin/flow-server@1.0.21
purl	pkg:maven/com.vaadin/flow-server@1.0.21
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@1.0.21

url	pkg:maven/com.vaadin/flow-server@2.9.3
purl	pkg:maven/com.vaadin/flow-server@2.9.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.9.3

url	pkg:maven/com.vaadin/flow-server@9.1.2
purl	pkg:maven/com.vaadin/flow-server@9.1.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@9.1.2

url	pkg:maven/com.vaadin/flow-server@23.3.13
purl	pkg:maven/com.vaadin/flow-server@23.3.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@23.3.13

url	pkg:maven/com.vaadin/flow-server@24.0.9
purl	pkg:maven/com.vaadin/flow-server@24.0.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.0.9

aliases CVE-2023-25500, GHSA-ch48-9r3q-pv7x

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tfwa-kphb-j3b8

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@1.0.0

Package Instance