CVE-2021-31406

CVSS v3.1 2.5 (Low)

CVSS v2.0 1.9 (Low)

EPSS 0.04 % (13^th)

Affected Products 2

Advisories 1

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

Weaknesses

CWE-203: Observable Discrepancy
CWE-208: Observable Timing Discrepancy

CVE Status: PUBLISHED
CNA: Vaadin Ltd.
Published Date: 2021-04-23 16:15:08
(3 years ago)
Updated Date: 2021-04-30 19:01:08
(3 years ago)

Affected Products

Vaadin

Flow
Vaadin

Configuration #1

	CPE23	From	Up To
Vaadin Flow from 3.0.0 version and prior 5.0.4 version	cpe:2.3:a:vaadin:flow	>= 3.0.0	< 5.0.4
Vaadin Flow 6.0.0	cpe:2.3:a:vaadin:flow:6.0.0:-
Vaadin from 15.0.0 version and prior 18.0.7 version	cpe:2.3:a:vaadin:vaadin	>= 15.0.0	< 18.0.7
Vaadin 19.0.0	cpe:2.3:a:vaadin:vaadin:19.0.0:-