CVE-2021-31412

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-server versions 1.0.0 through 1.0.14 com.vaadin:flow-server versions 1.1.0 prior to 2.0.0 com.vaadin:flow-server versions 2.0.0 through 2.6.1 com.vaadin:flow-server versions 3.0.0 through 6.0.9

Description The issue is related to improper sanitization of path in the default RouteNotFoundError view, allowing a network attacker to enumerate all available routes via a crafted HTTP request when the application is running in production mode and no custom handler for NotFoundException is provided.

Recommendations For com.vaadin:flow-server versions 1.0.0 through 1.0.14, update to a version outside of this range or apply a custom handler for NotFoundException. For com.vaadin:flow-server versions 1.1.0 prior to 2.0.0, update to version 2.0.0 or later, or apply a custom handler for NotFoundException. For com.vaadin:flow-server versions 2.0.0 through 2.6.1, update to a version outside of this range or apply a custom handler for NotFoundException. For com.vaadin:flow-server versions 3.0.0 through 6.0.9, update to a version outside of this range or apply a custom handler for NotFoundException. As a temporary workaround, consider providing a custom handler for NotFoundException to minimize the risk of exploitation.