CVE-2021-31412
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
In short
A Vaadin web framework flaw allows attackers to discover all available routes (URLs) in a production application by sending specially crafted requests, if no custom error handler is set up. This can help attackers map out the application's structure and find vulnerable endpoints.
Technical detail
The default RouteNotFoundError view in Vaadin flow-server fails to properly sanitize the request path, enabling route enumeration attacks in production mode when no custom NotFoundException handler is configured. An unauthenticated network attacker can discover all available application routes by probing for 404 responses, facilitating reconnaissance for further exploitation.
Summary generated and translated by AI from the official description.
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →