CVE-2021-31408

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-31408

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31408.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-31408

Aliases

GHSA-mr8h-j9cv-4m8h

Published

2021-04-23T17:15:08Z

Modified

2025-01-14T09:13:09.037201Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type: GIT
Repo: https://github.com/vaadin/flow
Events: Introduced

60b4fd8e59948e2a6a5f8af1988a3adc45563ffc

Fixed

6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c

Type: GIT
Repo: https://github.com/vaadin/platform
Events: Introduced

5c28d4e1b9099122cf4d770283777f00a960aab3

Fixed

c5f2eff88186f28c16cedc320596e7c64197ca13

Type: GIT
Repo: https://github.com/vaadin/vaadin
Events: Introduced

3981409421683b6f4a796f37b67433d36b6a7ca1

Fixed

282c9471b4846bfae98447dbebe9d3be24495ab6

Affected versions

19.*

19.0.0

19.0.1

19.0.2

19.0.3

v19.*

v19.0.0

v19.0.1

v19.0.2

v19.0.3