GHSA-hw7r-qrhp-5pff: 
Java vulnerability analysis and mitigation

A security vulnerability was identified in the CheckboxGroup component of Vaadin, affecting versions 12.0.0 through 14.6.7 and 15.0.0 through 20.0.5. The vulnerability, tracked as GHSA-hw7r-qrhp-5pff and CVE-2021-33605, was disclosed on August 25, 2021. The issue specifically affects the com.vaadin:vaadin-checkbox-flow component across multiple version ranges (GitHub Advisory).

The vulnerability stems from an improper check in the CheckboxGroup component, which received a CVSS v3.1 score of 4.3 (Moderate severity). The technical assessment indicates the vulnerability has a Network attack vector, Low attack complexity, requires Low privileges, and needs No user interaction. The scope is Unchanged, with No impact on confidentiality, Low impact on integrity, and No impact on availability. The CVSS string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability allows attackers to modify the value of a disabled Checkbox within an enabled CheckboxGroup component. This unauthorized property update capability could potentially compromise the integrity of form data and user interactions within affected applications (GitHub Advisory).

The vulnerability has been patched in Vaadin versions 14.6.8 and 20.0.6. Users are advised to upgrade to these patched versions to mitigate the security risk (GitHub Advisory).