Armis Vulnerability Intelligence Database

Description Preview

A vulnerability has been identified in Vaadin Flow server component that affects versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1) and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8). The issue exists in the development mode handler where improper URL encoding allows a local user to execute arbitrary JavaScript code by opening a specially crafted URL in a browser. This vulnerability could potentially lead to client-side attacks when development mode is enabled.

Overview

The vulnerability (CVE-2021-33604) affects the development mode handler in the com.vaadin:flow-server component. When in development mode, the application fails to properly encode URLs, which can be exploited by a local user to inject and execute arbitrary JavaScript code. This vulnerability is particularly concerning in development environments where multiple developers may have access to the application. An attacker could craft a malicious URL that, when opened in a browser, executes JavaScript code in the context of the application, potentially leading to information disclosure or other client-side attacks.

Remediation

Users should upgrade to patched versions of Vaadin:

For Vaadin 14.x: Upgrade to version 14.6.2 or later
For Vaadin 15.x through 19.x: Upgrade to version 19.0.9 or later

If immediate upgrading is not possible, consider the following mitigation:

Disable development mode in production environments
Limit access to development instances to trusted users only
Be cautious when opening URLs from untrusted sources in development environments

References

Official Vaadin security advisory: https://vaadin.com/security/cve-2021-33604
Patch information: https://github.com/vaadin/flow/pull/11099
Affected versions:
- com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1)
- com.vaadin:flow-server versions 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8)

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

Accommodation & Food Services
Accommodation & Food Services
Administrative, Support, Waste Management & Remediation Services
Administrative, Support, Waste Management & Remediation Services
Agriculture, Forestry Fishing & Hunting
Agriculture, Forestry Fishing & Hunting
Arts, Entertainment & Recreation
Arts, Entertainment & Recreation
Construction
Construction
Educational Services
Educational Services
Finance and Insurance
Finance and Insurance
Health Care & Social Assistance
Health Care & Social Assistance
Information
Information
Management of Companies & Enterprises
Management of Companies & Enterprises
Manufacturing
Manufacturing
Mining
Mining
Other Services (except Public Administration)
Other Services (except Public Administration)
Professional, Scientific, & Technical Services
Professional, Scientific, & Technical Services
Public Administration
Public Administration
Real Estate Rental & Leasing
Real Estate Rental & Leasing
Retail Trade
Retail Trade
Transportation & Warehousing
Transportation & Warehousing
Utilities
Utilities
Wholesale Trade
Wholesale Trade

^{CVE-2021-33604:}URL encoding error in Vaadin Flow server allows local JavaScript code execution via crafted URLs.

Description Preview

Overview

Remediation

References

Focus on What Matters

Let's talk!