GHSA-6hgr-2g6q-3rmc

Suggest an improvement
Source
https://github.com/advisories/GHSA-6hgr-2g6q-3rmc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-6hgr-2g6q-3rmc/GHSA-6hgr-2g6q-3rmc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6hgr-2g6q-3rmc
Published
2021-04-22T16:11:26Z
Modified
2024-11-28T05:29:47.033476Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
Details

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

  • https://vaadin.com/security/cve-2021-31408
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-22T14:31:17Z"
}
References

Affected packages

Maven / com.vaadin:flow-client

Package

Name
com.vaadin:flow-client
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/flow-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
6.0.5

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4