CVE-2021-31404

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-31404

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31404.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-31404

Aliases

GHSA-xwg3-qrcg-w9x6

Published

2021-04-23T16:15:08Z

Modified

2024-09-03T03:48:27.597515Z

Severity

2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type: GIT
Repo: https://github.com/vaadin/flow
Events: Introduced

3cd0c02025aba6de6fd78a8ea65c67483a721b4e

Fixed

3a0bec8198b110458ccea3d5165de9d402817426

Type: GIT
Repo: https://github.com/vaadin/platform
Events: Introduced

8e1b5f1a3f9bb984108d172f19d4d2df4a1987f5

Fixed

0c357eed9a224c68a22005a4e3ac828bbeeac237

Type: GIT
Repo: https://github.com/vaadin/vaadin
Events: Introduced

75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53

Fixed

ca9cf99092245a31a84b317adf1d79a397970d27

Affected versions

1.*

1.0.0

1.0.1

1.0.10

1.0.11

1.0.12

1.0.13

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

10.*

10.0.0

10.0.1

10.0.10

10.0.11

10.0.12

10.0.13

10.0.14

10.0.15

10.0.16

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9