GHSA-75xc-qvxh-27f8

Source

https://github.com/advisories/GHSA-75xc-qvxh-27f8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-75xc-qvxh-27f8

Aliases

CVE-2021-31403

Published

2021-04-19T14:51:06Z

Modified

2023-11-08T04:05:48.098329Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8

Details

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack

https://vaadin.com/security/cve-2021-31403

Database specific

{
    "severity": "MODERATE",
    "github_reviewed_at": "2021-04-16T23:15:02Z",
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ],
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "github_reviewed": true
}

References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.7.24

Affected versions

7.*

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

7.4.7

7.4.8

7.5.0.beta1

7.5.0.beta2

7.5.0.beta3

7.5.0.rc1

7.5.0.rc2

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

7.5.10

7.6.0.alpha1

7.6.0.alpha2

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

7.6.5

7.6.6

7.6.7

7.6.8

7.7.0

7.7.1

7.7.2

7.7.3

7.7.4

7.7.5

7.7.6

7.7.7

7.7.8

7.7.9

7.7.10

7.7.11

7.7.12

7.7.13

7.7.14

7.7.15

7.7.16

7.7.17

7.7.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json"

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.12.3

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.3.3

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.1

8.5.2

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.7.0.beta1

8.7.0

8.7.1

8.7.2

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.10.0

8.10.1

8.10.2

8.10.3

8.10.4

8.10.5

8.11.0

8.11.1

8.11.2

8.11.3

8.12.0

8.12.1

8.12.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json"

Maven / com.vaadin:vaadin-server

Package

Name: com.vaadin:vaadin-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.7.24

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.1.0.beta1

7.1.0

7.1.1

7.1.2

7.1.3

7.1.4

7.1.5

7.1.6

7.1.7

7.1.8

7.1.9

7.1.10

7.1.11

7.1.12

7.1.13

7.1.14

7.1.15

7.2.0.beta1

7.2.0

7.2.1

7.2.2

7.2.3

7.2.4

7.2.5

7.2.6

7.2.7

7.3.0.alpha1

7.3.0.alpha2

7.3.0.alpha3

7.3.0.beta1

7.3.0.rc1

7.3.0

7.3.1

7.3.2

7.3.3

7.3.4

7.3.5

7.3.6

7.3.7

7.3.8

7.3.9

7.3.10

7.4.0.alpha1

7.4.0.alpha2

7.4.0.alpha3

7.4.0.alpha4

7.4.0.alpha5

7.4.0.alpha6

7.4.0.alpha7

7.4.0.alpha8

7.4.0.alpha9

7.4.0.alpha10

7.4.0.alpha11

7.4.0.alpha12

7.4.0.alpha13

7.4.0.alpha14

7.4.0.beta1

7.4.0.beta2

7.4.0.beta3

7.4.0.rc1

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

7.4.7

7.4.8

7.5.0.alpha1

7.5.0.beta1

7.5.0.beta2

7.5.0.beta3

7.5.0.rc1

7.5.0.rc2

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

7.5.10

7.6.0.alpha1

7.6.0.alpha2

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

7.6.5

7.6.6

7.6.7

7.6.8

7.7.0

7.7.1

7.7.2

7.7.3

7.7.4

7.7.5

7.7.6

7.7.7

7.7.8

7.7.9

7.7.10

7.7.11

7.7.12

7.7.13

7.7.14

7.7.15

7.7.16

7.7.17

7.7.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json"

Maven / com.vaadin:vaadin-server

Package

Name: com.vaadin:vaadin-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.12.3

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.3.3

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.1

8.5.2

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.7.0.beta1

8.7.0

8.7.1

8.7.2

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.10.0

8.10.1

8.10.2

8.10.3

8.10.4

8.10.5

8.11.0

8.11.1

8.11.2

8.11.3

8.12.0

8.12.1

8.12.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json"