CVE-2021-31406
- Source
- https://cve.org/CVERecord?id=CVE-2021-31406
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31406.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-31406
- Aliases
- Published
- 2021-04-23T16:15:08.727Z
- Modified
- 2025-12-07T10:01:47.175753Z
- Severity
-
- 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
- References
Affected packages
Git / github.com/vaadin/flow
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-06f1b93a",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "testMessageProcessing_moduleDependencyIsHandledBeforeApplyingChangesToTree"
},
"digest": {
"function_hash": "87921890465095671594157107149239927107",
"length": 986.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-092d8ec8",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "testForceHandleMessage_resyncIsRequested"
},
"digest": {
"function_hash": "176435315625933838641405086351277470696",
"length": 545.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-34089340",
"target": {
"file": "flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/LogoutIT.java"
},
"digest": {
"line_hashes": [
"1495578536536238047680867649010850752",
"33172734539250389566913900151098010676",
"231179337293411902747682902243761324027",
"185253597001049396053694317422297696389"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-3606533c",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java"
},
"digest": {
"line_hashes": [
"301976044352119022998234824333652301627",
"294530612798450813600507804479359823927",
"313846508660609978381643849320577681983",
"152868910803242352564842575738991795648",
"330427172926513235756074426711961637607",
"160641033736695574313842525615022396480",
"42466244212440110094325997443159500556",
"29151606416745812930228003510414829391",
"67847106582228431156213869114545086858",
"323826506804025123116176965486901768836",
"219041129912635741514384459807940989034",
"2504903256778457630835935834384938142",
"276346764895001618221222134133595690507",
"144377006106763004307837383703147829351",
"206272541706519888002747207169639770307",
"11279215192527680945869359825434536278",
"279683075942169739092847073743094260133",
"229854460136270022510002093705941719199",
"60300386956367322808909909372115483397",
"292345435704125859666852645567878440086",
"296910455200581010597901215294925009383",
"31258439730993575272104119600032343721",
"117004182896262798625874616736164890138",
"320910305921668994430000920439144976857",
"227639806535119073889189494365792253863",
"136919012888783107895999336420671234172",
"58999676969949656533042278060223553577",
"48411919721287497415317290239520976030",
"29397489976261394498168902356911749936",
"326819372456475412736501401838658181965",
"201158248422594252541353849060168407322",
"229620179222406502731970246724574755013",
"337445311431172056298910436500306497272",
"279683075942169739092847073743094260133",
"229854460136270022510002093705941719199",
"197150486713842720092809377656467335683",
"8499292696089786504678363460057021174",
"171857235048473958631861810016498461833",
"278546702569479876764925990280298716384",
"152944688506901551555408928660484152270",
"29397489976261394498168902356911749936",
"87164110531343699104921867771715297195",
"88810969644377621134850547459348925652",
"772196467971714818502189856070350282",
"238940946719695458050660680245165197075",
"247013942114101291181759859285466177970",
"229854460136270022510002093705941719199",
"155657062709356873384283097358451603287",
"81041191430164707465798982590374222389",
"103098591337564230868223973695167143035",
"13916198734395144025729590684210477321",
"256496337722683622433158801238124973043",
"271098951679845287461139650171169599984",
"302041075452351291666669545966589958874",
"125629449969682541513761705763175328136",
"318947307075254892797266499623882403630",
"142159212051806826244749516113158540711"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-39b73d7a",
"target": {
"file": "flow-client/src/main/java/com/vaadin/client/communication/MessageHandler.java",
"function": "processMessage"
},
"digest": {
"function_hash": "254997706635657731430786788563992303816",
"length": 2375.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-4b4a4ead",
"target": {
"file": "flow-client/src/main/java/com/vaadin/client/communication/MessageHandler.java"
},
"digest": {
"line_hashes": [
"182019263383459402275143202624332887664",
"300792602988638138923883752319407317093",
"112454830199038299364027780725497257336",
"196097407916572160367510191474450910508",
"137918551173124006886329751136573497415",
"208383021895983824186477246249403638019",
"187974447530176521985074718751721039168",
"169470449152294310335055668465808383302",
"239573664339104905919818210259430252542",
"9296378964321605037383755324718051611",
"41478854613308997485435542464989583335",
"225952169907270497469411330369839556537",
"54454611844382887111544867781965506672",
"235353008800021916146450405650283607314",
"218409647827626351582692201959395962961",
"272708246323431282327688827339289434718",
"284742851407190639269583311082200681018",
"100414014369562313589808676604236918522",
"260607015884707301228257896996125954202",
"122818474809899737133917653213496603088",
"304322176576110358309378130893237370216",
"3167835482995663754065474262832190811",
"129929974916037317490963625998799622052",
"185951133179051446647755652746187811238",
"247196013788417828113488016636806666171"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-55f05674",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "run"
},
"digest": {
"function_hash": "28348110863801476151851545095910941098",
"length": 65.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-709bbff2",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "run"
},
"digest": {
"function_hash": "323353777620218808128576314404020368910",
"length": 354.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-9eb79067",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "testMessageProcessing_dynamicDependencyIsHandledBeforeApplyingChangesToTree"
},
"digest": {
"function_hash": "105808882375944418724014825127311336406",
"length": 851.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-bfac34cd",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "gwtSetUp"
},
"digest": {
"function_hash": "225993414989184879683038962351308084324",
"length": 543.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-cfbe2e0b",
"target": {
"file": "flow-client/src/test-gwt/java/com/vaadin/client/GwtMessageHandlerTest.java",
"function": "run"
},
"digest": {
"function_hash": "157977531667074534727160363062720824834",
"length": 148.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/vaadin/flow/commit/b9cc454b011a504d841b53d192cf21f45a0bf829",
"id": "CVE-2021-31406-fa6e10a2",
"target": {
"file": "flow-tests/test-root-context/src/main/java/com/vaadin/flow/uitest/ui/LogoutView.java"
},
"digest": {
"line_hashes": [
"62570202916061391514951174656216052849",
"30169386514352912081690429604263954546",
"62021081469409010472454182602988379095",
"176257723753143008081423279914502368121",
"118521377009206943600164791541101575177",
"270728586782767736996722050434100706180",
"256801734263702728659710510889348248621"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31406.json"
Git / github.com/vaadin/platform
Affected versions
15.*
15.0.0
15.0.0.rc1
16.*
16.0.0.alpha1
16.0.0.alpha2
16.0.0.alpha3
16.0.1
17.*
17.0.0
17.0.0.alpha2
17.0.0.alpha3
17.0.0.alpha4
17.0.0.alpha5
17.0.0.alpha6
17.0.0.alpha7
17.0.0.beta1
17.0.0.beta2
17.0.0.beta3
17.0.0.rc1
17.0.0.rc2
18.*
18.0.0
18.0.0.alpha1
18.0.0.beta1
18.0.0.beta2
18.0.0.beta3
18.0.0.rc1
18.0.0.rc2
18.0.1
18.0.2
18.0.3
18.0.4
18.0.5
18.0.6