Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8

High

fluorumlabs published GHSA-jfmf-w293-8xr8

Apr 30, 2021

Package

com.vaadin:vaadin-bom (Maven)

Affected versions

>=8.0.0, <=8.12.4

Patched versions

8.13.0

Description

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

https://vaadin.com/security/cve-2021-31409

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H