CVE-2021-31406
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-31406
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31406.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-31406
- Aliases
- Published
- 2021-04-23T16:15:08Z
- Modified
- 2024-09-03T03:48:29.049738Z
- Severity
-
- 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
- References
Affected packages
Git / github.com/vaadin/flow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vaadin/flow
- Events
- Type
- GIT
- Repo
- https://github.com/vaadin/platform
- Events
- Type
- GIT
- Repo
- https://github.com/vaadin/vaadin
- Events
Affected versions
15.*
15.0.0
15.0.0.rc1
16.*
16.0.0.alpha1
16.0.0.alpha2
16.0.0.alpha3
16.0.1
17.*
17.0.0
17.0.0.alpha2
17.0.0.alpha3
17.0.0.alpha4
17.0.0.alpha5
17.0.0.alpha6
17.0.0.alpha7
17.0.0.beta1
17.0.0.beta2
17.0.0.beta3
17.0.0.rc1
17.0.0.rc2
18.*
18.0.0
18.0.0.alpha1
18.0.0.beta1
18.0.0.beta2
18.0.0.beta3
18.0.0.rc1
18.0.0.rc2
18.0.1
18.0.2
18.0.3
18.0.4
18.0.5
18.0.6