4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-33605

GHSA ID

GHSA-qcc4-3rxf-gf4m

EPSS Score

0.45939%

CWE

CWE-754

Published

8/30/2021

Updated

5/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-33605

CVE-2021-33605:
Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20

Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.

https://vaadin.com/security/cve-2021-33605

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-33605

GHSA ID

GHSA-qcc4-3rxf-gf4m

EPSS Score

0.45939%

CWE

CWE-754

Published

8/30/2021

Updated

5/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.vaadin:vaadin-checkbox-flow	maven	>= 12.0.0, < 14.6.8	14.6.8
com.vaadin:vaadin-checkbox-flow	maven	>= 15.0.0, < 20.0.6	20.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the hasValidValue() method's validation logic. The pre-patch version (vulnerable) used: 'selectedItems.stream().allMatch(itemEnabledProvider)', which only ensured currently selected items are enabled. The patched version introduces comparison between old and new values for disabled items. This indicates the vulnerability existed in the original validation logic that failed to properly check if disabled items' values were being modified - a classic CWE-754 scenario of missing exceptional condition checks for disabled components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r ****k in `****k*ox*roup` in `*om.v***in:v***in-****k*ox-*low` v*rsions *.*.* prior to *.*.* (V***in **.*.* prior to **.*.*), *.*.* prior to *.*.* (V***in **.*.* prior to **.*.*), *.*.* t*rou** *.*.* (V***in **.*.* t*rou** **.*.**), **.*.* t*

Reasoning

T** vuln*r**ility st*ms *rom t** `**sV*li*V*lu*()` m*t*o*'s v*li**tion lo*i*. T** pr*-p*t** v*rsion (vuln*r**l*) us**: 's*l**t**It*ms.str**m().*llM*t**(it*m*n**l**Provi**r)', w*i** only *nsur** *urr*ntly s*l**t** it*ms *r* *n**l**. T** p*t**** v*rsio

4.3

Basic Information

Concerned about an active attack path?

CVE-2021-33605: Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-33605:
Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20

Vulnerability Intelligence
Miggo AI