CVE-2021-31404
- Source
- https://cve.org/CVERecord?id=CVE-2021-31404
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31404.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-31404
- Aliases
- Published
- 2021-04-23T16:15:08.647Z
- Modified
- 2026-02-13T08:44:47.676981Z
- Severity
-
- 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
- References
Affected packages
Git / github.com/vaadin/flow
Affected versions
1.*
1.0.0
1.1.0
1.1.0.alpha1
1.1.0.alpha2
1.1.0.alpha3
1.1.0.beta1
1.1.0.beta2
1.1.0.beta3
1.1.0.beta4
1.2.0
1.2.0.alpha1
1.2.0.beta1
1.2.0.beta2
1.3.0.alpha2
1.3.0.alpha3
1.5.0.alpha1
1.5.0.alpha2
1.5.0.alpha3
1.5.0.alpha4
2.*
2.0.0.alpha1
2.0.0.alpha2
2.0.0.alpha3
2.0.0.alpha4
2.0.0.alpha5
2.0.0.beta1
2.0.0.beta2
2.0.0.rc1
2.0.0.rc2
2.0.0.rc3
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31404.json"
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"function_hash": "249622570144799160707345132873329528777",
"length": 1300.0
},
"id": "CVE-2021-31404-0d26ca84",
"deprecated": false,
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java",
"function": "assertMultipartResponse"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/3a0bec8198b110458ccea3d5165de9d402817426",
"digest": {
"line_hashes": [
"133991899515961323250281832043496807197",
"249159474352653487934556951151599851894",
"240088532057232545644831235116762154793",
"270254788349579320055880890362721350995",
"69863386539325907529089889408700413500"
],
"threshold": 0.9
},
"id": "CVE-2021-31404-0ee03c87",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/communication/StreamReceiverHandler.java"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/8e306579f157678c3baa3f3f63f406d073668161",
"digest": {
"line_hashes": [
"160937225051918761478269234930327001891",
"46889990866690041514682102058244386468",
"26363513694312015506855934224560524820",
"219833123941898919814816514009225503040"
],
"threshold": 0.9
},
"id": "CVE-2021-31404-0f19a1e1",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/FrontendDependencies.java"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"line_hashes": [
"153177363219435303937481346278910453140",
"181422030205452905305290291040049227309",
"33971829593394412345599048598093718036",
"275041624494612527645552893294291103394",
"86469247458738357383103507442104737069",
"25922342559461617944053885903640254293",
"232339524840583842812333248918319678667"
],
"threshold": 0.9
},
"id": "CVE-2021-31404-417a7d8e",
"deprecated": false,
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"line_hashes": [
"43520808278726046006432504985646778166",
"296123810924565338498643766530874911587",
"221259991966709583237594580063444196171",
"108437677596457758235630426291300831986",
"317700053554754753249584371690674619316",
"161853292399189728664655237763082637062",
"27953669406768766753844549422154923759",
"271721621782024497285018147912205502689",
"97433726130074578806977607204725840712",
"153742533932158225961900960708720470033",
"275096766594378320841425464416028224121",
"106015272132669031337108147864651992326",
"172585572563459339251084935163900343552",
"118576641918442202000303694882491631629",
"159566678862912923854403932800634387798",
"250832752003912735365863795960963851311",
"95251104644391592641027354560185502492",
"285848104943858832560397642457555650382",
"315036448805680584430042212921432466215",
"255473002469754674093051837237214340125",
"230235063635031316715263929865930818925",
"322837197650918553560479406135892037458",
"74990952378373315520732252202114369521",
"315036448805680584430042212921432466215",
"80656763328939012405066971435088009862",
"184993245847957223953294561761420966511",
"27613114131117876128238304830026711186",
"310898117397158724705314868744425276684",
"211579530431730291031803728089338761891",
"155912885843459940685605779617059510580",
"99375202491282114146738158083936559773"
],
"threshold": 0.9
},
"id": "CVE-2021-31404-a61406d4",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/8e306579f157678c3baa3f3f63f406d073668161",
"digest": {
"function_hash": "332361481167583811488630660825504437087",
"length": 276.0
},
"id": "CVE-2021-31404-dd8db9b6",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/FrontendDependencies.java",
"function": "isVisitable"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"digest": {
"function_hash": "299806186407132363208599384657169049253",
"length": 1587.0
},
"id": "CVE-2021-31404-e6f3accf",
"deprecated": false,
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java",
"function": "writeRangeContents"
}
}
]
Git / github.com/vaadin/platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vaadin/platform
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
10.*
10.0.0
10.0.1
10.0.10
10.0.11
10.0.12
10.0.13
10.0.14
10.0.15
10.0.16
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
11.*
11.0.0.alpha1
11.0.0.beta1
12.*
12.0.0.alpha1
12.0.0.alpha2
12.0.0.alpha3
12.0.0.alpha4
12.0.0.alpha5
12.0.0.beta1
12.0.0.beta2
13.*
13.0.0
13.0.0.alpha1
13.0.0.alpha2
13.0.0.alpha3
13.0.0.alpha4
13.0.0.beta1
13.0.0.beta2
13.0.0.beta3
13.0.1
14.*
14.0.0.alpha1
14.0.0.alpha2
14.0.0.alpha3
14.0.0.alpha4
14.0.0.beta1
14.0.0.beta2
14.0.0.beta3
14.0.0.rc1
14.0.0.rc2
14.0.0.rc3
14.0.0.rc4
14.0.0.rc5
14.0.0.rc6
14.0.0.rc7
14.0.0.rc9
15.*
15.0.0
15.0.0.rc1
16.*
16.0.0.alpha1
16.0.0.alpha2
16.0.0.alpha3
16.0.1
17.*
17.0.0.alpha2
17.0.0.alpha3
17.0.0.alpha4
17.0.0.alpha5
17.0.0.alpha6
17.0.0.alpha7
17.0.0.beta1
17.0.0.beta2
17.0.0.beta3
17.0.0.rc1
17.0.0.rc2
Git / github.com/vaadin/vaadin
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vaadin/vaadin
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
v10.*
v10.0.0
v10.0.1
v10.0.10
v10.0.11
v10.0.12
v10.0.13
v10.0.14
v10.0.15
v10.0.16
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.8
v10.0.9
v11.*
v11.0.0-alpha1
v11.0.0-beta1
v12.*
v12.0.0
v12.0.0-alpha1
v12.0.0-alpha2
v12.0.0-alpha3
v12.0.0-alpha4
v12.0.0-alpha5
v12.0.0-beta1
v12.0.0-beta2
v12.0.1
v12.0.2
v13.*
v13.0.0
v13.0.0-alpha1
v13.0.0-alpha2
v13.0.0-alpha3
v13.0.0-alpha4
v13.0.0-beta1
v13.0.0-beta2
v13.0.0-beta3
v13.0.1
v14.*
v14.0.0-alpha1
v14.0.0-alpha2
v14.0.0-alpha3
v14.0.0-alpha4
v14.0.0-beta1
v14.0.0-beta2
v14.0.0-beta3
v14.0.0-rc1
v14.0.0-rc2
v14.0.0-rc3
v14.0.0-rc4
v14.0.0-rc5
v14.0.0-rc6
v14.0.0-rc7
v14.0.0-rc8
v14.0.0-rc9