CVE-2021-31408

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-31408

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31408.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-31408

Aliases

GHSA-mr8h-j9cv-4m8h

Published

2021-04-23T17:15:08.260Z

Modified

2026-04-11T17:12:27.839986Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type

GIT

Repo

https://github.com/vaadin/flow

Events

Introduced

60b4fd8e59948e2a6a5f8af1988a3adc45563ffc

Fixed

6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c

Introduced

6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c

Fixed

815b967fc84fefa8d3a4d72b9a036f48b0d96326

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "6.0.0"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/vaadin/vaadin

Events

Introduced

3981409421683b6f4a796f37b67433d36b6a7ca1

Fixed

282c9471b4846bfae98447dbebe9d3be24495ab6

Introduced

Last affected

a5bc6b4832e649fb16243e2bc0ee9b2941815e3b

Database specific

{
    "versions": [
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "19.0.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "18.0.0-NA"
        }
    ]
}

Affected versions

6.*

6.0.0

6.0.0.rc1

6.0.1

6.0.2

6.0.3

6.0.4

v10.*

v10.0.0

v10.0.0-alpha10

v10.0.0-alpha11

v10.0.0-alpha12

v10.0.0-alpha13

v10.0.0-alpha14

v10.0.0-alpha15

v10.0.0-alpha16

v10.0.0-alpha17

v10.0.0-alpha18

v10.0.0-alpha19

v10.0.0-alpha20

v10.0.0-alpha21

v10.0.0-alpha22

v10.0.0-alpha23

v10.0.0-alpha5

v10.0.0-alpha6

v10.0.0-alpha7

v10.0.0-alpha8

v10.0.0-alpha9

v10.0.0-beta1

v10.0.0-beta10

v10.0.0-beta11

v10.0.0-beta2

v10.0.0-beta3

v10.0.0-beta4

v10.0.0-beta5

v10.0.0-beta6

v10.0.0-beta7

v10.0.0-beta8

v10.0.0-beta9

v10.0.0-rc1

v10.0.0-rc2

v10.0.0-rc3

v10.0.0-rc4

v10.0.0-rc5

v10.0.1

v10.0.2

v11.*

v11.0.0-alpha1

v11.0.0-beta1

v12.*

v12.0.0

v12.0.0-alpha1

v12.0.0-alpha2

v12.0.0-alpha3

v12.0.0-alpha4

v12.0.0-alpha5

v12.0.0-beta1

v12.0.0-beta2

v12.0.1

v12.0.2

v13.*

v13.0.0

v13.0.0-alpha1

v13.0.0-alpha2

v13.0.0-alpha3

v13.0.0-alpha4

v13.0.0-beta1

v13.0.0-beta2

v13.0.0-beta3

v13.0.1

v14.*

v14.0.0

v14.0.0-alpha1

v14.0.0-alpha2

v14.0.0-alpha3

v14.0.0-alpha4

v14.0.0-beta1

v14.0.0-beta2

v14.0.0-beta3

v14.0.0-rc1

v14.0.0-rc2

v14.0.0-rc3

v14.0.0-rc4

v14.0.0-rc5

v14.0.0-rc6

v14.0.0-rc7

v14.0.0-rc8

v14.0.0-rc9

v14.0.1

v14.0.2

v15.*

v15.0.0-alpha1

v15.0.0-alpha10

v15.0.0-alpha11

v15.0.0-alpha12

v15.0.0-alpha13

v15.0.0-alpha14

v15.0.0-alpha15

v15.0.0-alpha2

v15.0.0-alpha3

v15.0.0-alpha4

v15.0.0-alpha5

v15.0.0-alpha6

v15.0.0-alpha7

v15.0.0-alpha8

v15.0.0-alpha9

v15.0.0-beta1

v15.0.0-beta2

v15.0.0-beta3

v15.0.0-beta4

v15.0.0-beta5

v15.0.0-rc1

v16.*

v16.0.0-alpha1

v16.0.0-alpha2

v16.0.0-alpha3

v17.*

v17.0.0

v17.0.0-alpha1

v17.0.0-alpha2

v17.0.0-alpha3

v17.0.0-alpha4

v17.0.0-alpha5

v17.0.0-alpha6

v17.0.0-alpha7

v17.0.0-beta1

v17.0.0-beta2

v17.0.0-beta3

v17.0.0-rc1

v17.0.0-rc2

v18.*

v18.0.0

v18.0.0-alpha1

v18.0.0-beta1

v18.0.0-beta2

v18.0.0-beta3

v18.0.0-rc1

v18.0.0-rc2

v19.*

v19.0.0

v19.0.1

v19.0.2

v19.0.3

v2.*

v2.0.0-alpha1

v2.0.0-alpha2

v2.0.0-alpha3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31408.json"

vanir_signatures_modified

"2026-04-11T17:12:27Z"

vanir_signatures

[
    {
        "source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
        "signature_type": "Function",
        "id": "CVE-2021-31408-0f722b11",
        "target": {
            "function": "collectChanges",
            "file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
        },
        "digest": {
            "length": 1251.0,
            "function_hash": "95895721501235828134604377938523968589"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "source": "https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326",
        "signature_type": "Line",
        "id": "CVE-2021-31408-3cbf096d",
        "target": {
            "file": "flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "301385501104286487236082474253944597235",
                "33209595235755426172916430696119825081",
                "20130507728000689394003554922185758202",
                "27648121960375167056664220454613286655",
                "333238594463227270340145318059775157759",
                "162426196315294167714190241247049851805",
                "143108685391574631857168530404470296537",
                "289525921492748990051647339521813580169",
                "196691798456890731011850001610931258878",
                "94015583440665660485056429945279570936",
                "233631714151873210613941553197754484653",
                "339847406786329252231261177293433668469",
                "158451126977230762946940923398983625055",
                "158561942680941256530785398242166653410",
                "304251129949362873653769766125841361873",
                "308380952411650632855764156023128986748",
                "239397498041292766278781133946454103885",
                "237104372402625998198687946668778901177",
                "106995218599822985345613317210655828759",
                "292843368295729651396147701559040228668",
                "340030634345836298512821769515880812703",
                "41399387311399976888416394535194411084",
                "331740420109745386061601803818086353335",
                "8884998506346186952570742046383395492",
                "139933011338285433419770049601160816830",
                "98720156670210664928699433727468960320"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "source": "https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326",
        "signature_type": "Line",
        "id": "CVE-2021-31408-92f44d17",
        "target": {
            "file": "flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "88761532408362104243124548915240472006",
                "26115545497482520410577718690440502402",
                "11174849024622262841416345250865283229",
                "84528676154298864545152016826230750574",
                "278489075895345417307043855328577458086",
                "184248164895372040317975779425110459888",
                "219023934169466880833981601434994954349",
                "121090698278751340858756785343313231219",
                "2484675577778871304649568792269367086",
                "472646401238229835898262101224063639",
                "294378466201656383580273847132248219927",
                "292359602663621118239833079456516038129",
                "312436184117340029061677700511925478592",
                "202899740439789292065858729706882250942",
                "74406980481203728174455280537256204485",
                "338995141612628595560954631266444936498",
                "12714896774079731942982039562409971795"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "source": "https://github.com/vaadin/flow/commit/815b967fc84fefa8d3a4d72b9a036f48b0d96326",
        "signature_type": "Function",
        "id": "CVE-2021-31408-a66e3a91",
        "target": {
            "function": "addInitialFlow",
            "file": "flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java"
        },
        "digest": {
            "length": 503.0,
            "function_hash": "226243603720421541345503239346751960012"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
        "signature_type": "Function",
        "id": "CVE-2021-31408-b1cb02ae",
        "target": {
            "function": "generateChangesFromEmpty",
            "file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
        },
        "digest": {
            "length": 347.0,
            "function_hash": "237078465224501216918970658909492001450"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
        "signature_type": "Line",
        "id": "CVE-2021-31408-f3fc00e1",
        "target": {
            "file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "166633409631087626290913396734732436812",
                "197369469223622540360828579482267148736",
                "195140222273805224304426140183017972196",
                "13725961261785800399221674383562159069",
                "254809120351719464142745237772450809857",
                "218073233907562093408731433265810115800",
                "115598401893538929146075788865948813998",
                "125696343857202907446740191536897790877",
                "160714507295608243343753244293991626370",
                "193520768097641661616424740431266394537",
                "69994674005437863081726701270029049220",
                "290354615757599555553062985667031195999",
                "309531406710090212504351233874492144018",
                "168869688385432029114419295455521740678",
                "63934125460227180648737009602041294572",
                "85556528253725332217195246397880446410",
                "4550144445281353063207849036130384881",
                "195696388440559866788998827604886889942",
                "9141715159019342845708092688719018889",
                "219517428722783548000327656944996394349",
                "263174819385655843558517354193042800341",
                "278628717958162781159499401632548149642",
                "212108074043554686633359082740911042134",
                "169975297854300739114179273258741891957",
                "205737623842655635335622360341037817920",
                "307280477213297565963444080109690997162",
                "91811661610476284181762024379518805152",
                "65259493187650283740785656083088485279",
                "211259311801906745895310484723471516931",
                "267825787843750070483517773643359595816",
                "332891950888997778239207210083009721465",
                "157413110011444433218980576423685117638",
                "293332030890763288991054245397386344559",
                "168725237606573335312901823970827696098",
                "78467309573778413904335907284488736014",
                "120630796013142002430213040883762815456"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    }
]