CVE-2021-33609

MEDIUM
Published Oct 13, 20214y ago · Modified Jun 17, 20262w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Oct 13, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
vaadinvaadin*≥8.0.0  –  <8.14.1

References 2

  • github.com https://github.com/vaadin/framework/pull/12415
    PatchThird Party Advisory
  • vaadin.com https://vaadin.com/security/cve-2021-33609
    Vendor Advisory

Remediation

  • github.com https://github.com/vaadin/framework/pull/12415
    PatchThird Party Advisory