CVE-2021-31407: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in the OSGi integration within com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0). The vulnerability (CVE-2021-31407) allows attackers to access application classes and resources on the server through crafted HTTP requests. This security issue was identified and disclosed in March 2021, specifically affecting Vaadin OSGi applications (Vaadin Security).

The vulnerability stems from the interaction between OSGi's HTTP Whiteboard specification and VaadinServlet's static resource handling. The HTTP Whiteboard specification in OSGi makes all resources inside a bundle/jar available via the ServletContext class for any Servlet registered within that bundle. The VaadinServlet class then exposes all resources available in the ServletContext to be accessed via HTTP through the StaticFileServer class. This combination allows direct access to resources within the same bundle as the servlet when requests target the exact resource URL. The vulnerability has been assigned a High severity rating with a CVSS v3.1 base score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) (Vaadin Security).

The vulnerability enables unauthorized access to Java class files and static resources that are part of the same bundle as the registered servlet. This exposure could potentially reveal sensitive application code and resources to attackers who can craft specific HTTP requests to access these files. The issue specifically affects resources within the same bundle as the servlet, while resources from other bundles remain inaccessible (Vaadin Security).

Users of affected versions should upgrade to patched versions: Vaadin 14.0.0-14.4.9 should upgrade to 14.4.10 or newer, and Vaadin 19.0.0 should upgrade to 19.0.1 or newer. Vaadin versions 12-13 are no longer supported and users should update to the latest version 14. The fixed versions include com.vaadin:flow-server 2.4.8 or higher for the 14.x series, and 6.0.2 or higher for the 19.x series (Vaadin Security).