GHSA-p7jq-v8jp-j424

Suggest an improvement
Source
https://github.com/advisories/GHSA-p7jq-v8jp-j424
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-p7jq-v8jp-j424/GHSA-p7jq-v8jp-j424.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p7jq-v8jp-j424
Aliases
Published
2021-04-19T14:50:38Z
Modified
2023-11-01T04:55:18.903257Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Details

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

  • https://vaadin.com/security/cve-2021-31406
Database specific
{
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "github_reviewed_at": "2021-04-16T23:15:49Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ]
}
References

Affected packages

Maven / com.vaadin:flow-server

Package

Name
com.vaadin:flow-server
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/flow-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
5.0.4

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.1.1
3.1.2
3.1.3
3.1.5
3.1.6
3.1.7

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8

5.*

5.0.0
5.0.1
5.0.2
5.0.3

Maven / com.vaadin:flow-server

Package

Name
com.vaadin:flow-server
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/flow-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.1

Affected versions

6.*

6.0.0