CVE-2021-33605 — Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-2

Description

Improper check in `CheckboxGroup` in `com.vaadin:vaadin-checkbox-flow` versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled `Checkbox` inside enabled `CheckboxGroup` component via unspecified vectors. - https://vaadin.com/security/cve-2021-33605

How to fix CVE-2021-33605

To remediate CVE-2021-33605, upgrade the affected package to a fixed version below.

—upgrade to 14.6.8 or later

Is CVE-2021-33605 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 12.0.0, < 14.6.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33605
PATCHgithub.com/vaadin/flow-components
WEBgithub.com/vaadin/flow-components/commit/1aa6bc94c763023bc3fc5849c2a1e8cab3bf6766
WEBgithub.com/vaadin/flow-components/commit/f136532a735f703f1144f19fee48c9009c659f03