PT-2021-19290 · Vaadin · Vaadin-Compatibility-Server+1

Stefan Penndorf

Published

2021-05-04

Updated

2021-10-13

CVE-2021-31409

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 Vaadin versions 8.0.0 through 8.12.4

Description The issue is related to an unsafe validation RegEx in the EmailValidator component, which allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Recommendations For com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4, consider disabling the EmailValidator component until a patch is available. For Vaadin versions 8.0.0 through 8.12.4, restrict the use of the EmailValidator component to minimize the risk of exploitation. As a temporary workaround, avoid using the EmailValidator component in the affected versions until the issue is resolved.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2021-31409

GHSA-C332-W4JM-55WV

GHSA-JFMF-W293-8XR8

Affected Products

Vaadin

Vaadin-Compatibility-Server

PT-2021-19290 · Vaadin · Vaadin-Compatibility-Server+1

CVE-2021-31409

Weakness Enumeration

Related Identifiers

Affected Products

References · 10