CVE-2021-31408
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-31408
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31408.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-31408
- Aliases
- Published
- 2021-04-23T17:15:08.260Z
- Modified
- 2025-12-08T07:50:49.881056Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
- References
Affected packages
Git / github.com/vaadin/flow
Database specific
vanir_signatures
[
{
"source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
"signature_type": "Function",
"target": {
"function": "collectChanges",
"file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2021-31408-0f722b11",
"digest": {
"length": 1251.0,
"function_hash": "95895721501235828134604377938523968589"
}
},
{
"source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
"signature_type": "Function",
"target": {
"function": "generateChangesFromEmpty",
"file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2021-31408-b1cb02ae",
"digest": {
"length": 347.0,
"function_hash": "237078465224501216918970658909492001450"
}
},
{
"source": "https://github.com/vaadin/flow/commit/6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c",
"signature_type": "Line",
"target": {
"file": "flow-server/src/main/java/com/vaadin/flow/internal/nodefeature/NodeList.java"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2021-31408-f3fc00e1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"166633409631087626290913396734732436812",
"197369469223622540360828579482267148736",
"195140222273805224304426140183017972196",
"13725961261785800399221674383562159069",
"254809120351719464142745237772450809857",
"218073233907562093408731433265810115800",
"115598401893538929146075788865948813998",
"125696343857202907446740191536897790877",
"160714507295608243343753244293991626370",
"193520768097641661616424740431266394537",
"69994674005437863081726701270029049220",
"290354615757599555553062985667031195999",
"309531406710090212504351233874492144018",
"168869688385432029114419295455521740678",
"63934125460227180648737009602041294572",
"85556528253725332217195246397880446410",
"4550144445281353063207849036130384881",
"195696388440559866788998827604886889942",
"9141715159019342845708092688719018889",
"219517428722783548000327656944996394349",
"263174819385655843558517354193042800341",
"278628717958162781159499401632548149642",
"212108074043554686633359082740911042134",
"169975297854300739114179273258741891957",
"205737623842655635335622360341037817920",
"307280477213297565963444080109690997162",
"91811661610476284181762024379518805152",
"65259493187650283740785656083088485279",
"211259311801906745895310484723471516931",
"267825787843750070483517773643359595816",
"332891950888997778239207210083009721465",
"157413110011444433218980576423685117638",
"293332030890763288991054245397386344559",
"168725237606573335312901823970827696098",
"78467309573778413904335907284488736014",
"120630796013142002430213040883762815456"
]
}
}
]