CVE-2021-31406

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-31406
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31406.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-31406
Aliases
Published
2021-04-23T16:15:08Z
Modified
2024-10-12T07:27:28.056803Z
Severity
  • 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type
GIT
Repo
https://github.com/vaadin/flow
Events
Type
GIT
Repo
https://github.com/vaadin/platform
Events
Type
GIT
Repo
https://github.com/vaadin/vaadin
Events

Affected versions

15.*

15.0.0
15.0.0.rc1

16.*

16.0.0.alpha1
16.0.0.alpha2
16.0.0.alpha3
16.0.1

17.*

17.0.0
17.0.0.alpha2
17.0.0.alpha3
17.0.0.alpha4
17.0.0.alpha5
17.0.0.alpha6
17.0.0.alpha7
17.0.0.beta1
17.0.0.beta2
17.0.0.beta3
17.0.0.rc1
17.0.0.rc2

18.*

18.0.0
18.0.0.alpha1
18.0.0.beta1
18.0.0.beta2
18.0.0.beta3
18.0.0.rc1
18.0.0.rc2
18.0.1
18.0.2
18.0.3
18.0.4
18.0.5
18.0.6