CVE-2021-31404
- Source
- https://cve.org/CVERecord?id=CVE-2021-31404
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31404.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-31404
- Aliases
- Published
- 2021-04-23T16:15:08.647Z
- Modified
- 2026-03-10T23:28:30.275263Z
- Severity
-
- 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
- References
Affected packages
Git / github.com/vaadin/flow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vaadin/flow
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "1.0.0" }, { "fixed": "1.0.14" }, { "introduced": "1.1.0" }, { "fixed": "2.0.0" }, { "introduced": "2.0.0" }, { "fixed": "2.4.7" }, { "introduced": "3.0.0" }, { "fixed": "5.0.0" }, { "introduced": "5.0.0" }, { "fixed": "5.0.3" } ] }
- Type
- GIT
- Repo
- https://github.com/vaadin/vaadin
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "10.0.0" }, { "fixed": "10.0.17" }, { "introduced": "11.0.0" }, { "fixed": "14.0.0" }, { "introduced": "14.0.0" }, { "fixed": "14.4.7" }, { "introduced": "15.0.0" }, { "fixed": "17.0.0" }, { "introduced": "18.0.0" }, { "fixed": "18.0.6" } ] }
Affected versions
1.*
1.0.0
1.1.0
1.1.0.alpha1
1.1.0.alpha2
1.1.0.alpha3
1.1.0.beta1
1.1.0.beta2
1.1.0.beta3
1.1.0.beta4
1.2.0
1.2.0.alpha1
1.2.0.beta1
1.2.0.beta2
1.3.0.alpha2
1.3.0.alpha3
1.5.0.alpha1
1.5.0.alpha2
1.5.0.alpha3
1.5.0.alpha4
2.*
2.0.0.alpha1
2.0.0.alpha2
2.0.0.alpha3
2.0.0.alpha4
2.0.0.alpha5
2.0.0.beta1
2.0.0.beta2
2.0.0.rc1
2.0.0.rc2
2.0.0.rc3
v10.*
v10.0.0
v10.0.1
v10.0.10
v10.0.11
v10.0.12
v10.0.13
v10.0.14
v10.0.15
v10.0.16
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.8
v10.0.9
v11.*
v11.0.0-alpha1
v11.0.0-beta1
v12.*
v12.0.0
v12.0.0-alpha1
v12.0.0-alpha2
v12.0.0-alpha3
v12.0.0-alpha4
v12.0.0-alpha5
v12.0.0-beta1
v12.0.0-beta2
v12.0.1
v12.0.2
v13.*
v13.0.0
v13.0.0-alpha1
v13.0.0-alpha2
v13.0.0-alpha3
v13.0.0-alpha4
v13.0.0-beta1
v13.0.0-beta2
v13.0.0-beta3
v13.0.1
v14.*
v14.0.0-alpha1
v14.0.0-alpha2
v14.0.0-alpha3
v14.0.0-alpha4
v14.0.0-beta1
v14.0.0-beta2
v14.0.0-beta3
v14.0.0-rc1
v14.0.0-rc2
v14.0.0-rc3
v14.0.0-rc4
v14.0.0-rc5
v14.0.0-rc6
v14.0.0-rc7
v14.0.0-rc8
v14.0.0-rc9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31404.json"
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "249622570144799160707345132873329528777",
"length": 1300.0
},
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"signature_type": "Function",
"id": "CVE-2021-31404-0d26ca84",
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java",
"function": "assertMultipartResponse"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"133991899515961323250281832043496807197",
"249159474352653487934556951151599851894",
"240088532057232545644831235116762154793",
"270254788349579320055880890362721350995",
"69863386539325907529089889408700413500"
]
},
"source": "https://github.com/vaadin/flow/commit/3a0bec8198b110458ccea3d5165de9d402817426",
"signature_type": "Line",
"id": "CVE-2021-31404-0ee03c87",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/communication/StreamReceiverHandler.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"160937225051918761478269234930327001891",
"46889990866690041514682102058244386468",
"26363513694312015506855934224560524820",
"219833123941898919814816514009225503040"
]
},
"source": "https://github.com/vaadin/flow/commit/8e306579f157678c3baa3f3f63f406d073668161",
"signature_type": "Line",
"id": "CVE-2021-31404-0f19a1e1",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/FrontendDependencies.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"23295020156755417456129072944945494042",
"19013390935718152928276376341568950922",
"183287954718629551973592466569970766610"
]
},
"source": "https://github.com/vaadin/flow/commit/1442b1874678ad292e5b1250b7498ac99ecc4497",
"signature_type": "Line",
"id": "CVE-2021-31404-32c723e9",
"target": {
"file": "flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/BrokenRouterLinkIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "50889928194372581869835555549574839970",
"length": 749.0
},
"source": "https://github.com/vaadin/flow/commit/420a588d6072f3e6369fbc8439ac8d328b05d5d2",
"signature_type": "Function",
"id": "CVE-2021-31404-335b9616",
"target": {
"file": "flow-tests/test-npm-only-features/test-npm-performance-regression/src/test/java/com/vaadin/flow/testnpmonlyfeatures/performanceregression/StartupPerformanceIT.java",
"function": "devModeInitializerToWebpackUpIsBelowThreshold"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"153177363219435303937481346278910453140",
"181422030205452905305290291040049227309",
"33971829593394412345599048598093718036",
"275041624494612527645552893294291103394",
"86469247458738357383103507442104737069",
"25922342559461617944053885903640254293",
"232339524840583842812333248918319678667"
]
},
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"signature_type": "Line",
"id": "CVE-2021-31404-417a7d8e",
"target": {
"file": "flow-server/src/test/java/com/vaadin/flow/internal/ResponseWriterTest.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"250495925707892314158189183523557768883",
"252475727024003677413540548807899597419",
"188406126592005394790782905052161347148",
"116462041464214745136812583121079315621"
]
},
"source": "https://github.com/vaadin/flow/commit/420a588d6072f3e6369fbc8439ac8d328b05d5d2",
"signature_type": "Line",
"id": "CVE-2021-31404-839dace8",
"target": {
"file": "flow-tests/test-npm-only-features/test-npm-performance-regression/src/test/java/com/vaadin/flow/testnpmonlyfeatures/performanceregression/StartupPerformanceIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"43520808278726046006432504985646778166",
"296123810924565338498643766530874911587",
"221259991966709583237594580063444196171",
"108437677596457758235630426291300831986",
"317700053554754753249584371690674619316",
"161853292399189728664655237763082637062",
"27953669406768766753844549422154923759",
"271721621782024497285018147912205502689",
"97433726130074578806977607204725840712",
"153742533932158225961900960708720470033",
"275096766594378320841425464416028224121",
"106015272132669031337108147864651992326",
"172585572563459339251084935163900343552",
"118576641918442202000303694882491631629",
"159566678862912923854403932800634387798",
"250832752003912735365863795960963851311",
"95251104644391592641027354560185502492",
"285848104943858832560397642457555650382",
"315036448805680584430042212921432466215",
"255473002469754674093051837237214340125",
"230235063635031316715263929865930818925",
"322837197650918553560479406135892037458",
"74990952378373315520732252202114369521",
"315036448805680584430042212921432466215",
"80656763328939012405066971435088009862",
"184993245847957223953294561761420966511",
"27613114131117876128238304830026711186",
"310898117397158724705314868744425276684",
"211579530431730291031803728089338761891",
"155912885843459940685605779617059510580",
"99375202491282114146738158083936559773"
]
},
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"signature_type": "Line",
"id": "CVE-2021-31404-a61406d4",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "332361481167583811488630660825504437087",
"length": 276.0
},
"source": "https://github.com/vaadin/flow/commit/8e306579f157678c3baa3f3f63f406d073668161",
"signature_type": "Function",
"id": "CVE-2021-31404-dd8db9b6",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/FrontendDependencies.java",
"function": "isVisitable"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "299806186407132363208599384657169049253",
"length": 1587.0
},
"source": "https://github.com/vaadin/flow/commit/60b4fd8e59948e2a6a5f8af1988a3adc45563ffc",
"signature_type": "Function",
"id": "CVE-2021-31404-e6f3accf",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/ResponseWriter.java",
"function": "writeRangeContents"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "216146142699340666866805434489889519070",
"length": 409.0
},
"source": "https://github.com/vaadin/flow/commit/1442b1874678ad292e5b1250b7498ac99ecc4497",
"signature_type": "Function",
"id": "CVE-2021-31404-f3680331",
"target": {
"file": "flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/BrokenRouterLinkIT.java",
"function": "testRouterLink_visitBrokenLinkAndBack_scrollPositionIsRetained"
}
}
]