vaadin flow debug messages revealing unnecessary information

admin

0
文章

0
评论

2023-12-01 13:54:53 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 vaadin flow debug messages revealing unnecessary information

CVE编号

CVE-2021-31412

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-06-28

漏洞描述

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/vaadin/flow/pull/11107
https://vaadin.com/security/cve-2021-31412

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	vaadin	flow	*	From (including) 1.0.0	Up to (including) 1.0.14
	运行在以下环境
	应用	vaadin	flow	*	From (including) 1.1.0	Up to (including) 1.4.0
	运行在以下环境
	应用	vaadin	flow	*	From (including) 2.0.0	Up to (including) 2.6.1
	运行在以下环境
	应用	vaadin	flow	*	From (including) 3.0.0	Up to (including) 5.0.0
	运行在以下环境
	应用	vaadin	flow	*	From (including) 6.0.0	Up to (including) 6.0.9
	运行在以下环境
	应用	vaadin	vaadin	*	From (including) 10.0.0	Up to (including) 10.0.18
	运行在以下环境
	应用	vaadin	vaadin	*	From (including) 11.0.0	Up to (including) 13.0.0
	运行在以下环境
	应用	vaadin	vaadin	*	From (including) 14.0.0	Up to (including) 14.6.1
	运行在以下环境
	应用	vaadin	vaadin	*	From (including) 15.0.0	Up to (including) 18.0.0
	运行在以下环境
	应用	vaadin	vaadin	*	From (including) 19.0.0	Up to (including) 19.0.8