GHSA-75xc-qvxh-27f8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-75xc-qvxh-27f8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-75xc-qvxh-27f8/GHSA-75xc-qvxh-27f8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-75xc-qvxh-27f8
- Aliases
- Published
- 2021-04-19T14:51:06Z
- Modified
- 2023-11-08T04:05:48.098329Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
- Details
-
Non-constant-time comparison of CSRF tokens in UIDL request handler in
com.vaadin:vaadin-serverversions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack- https://vaadin.com/security/cve-2021-31403
- Database specific
{ "nvd_published_at": "2021-04-23T16:15:00Z", "github_reviewed_at": "2021-04-16T23:15:02Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-203", "CWE-208" ] }- References
Affected packages
Maven / com.vaadin:vaadin-bom
Package
- Name
- com.vaadin:vaadin-bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.vaadin/vaadin-bom
Affected versions
7.*
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
7.4.7
7.4.8
7.5.0.beta1
7.5.0.beta2
7.5.0.beta3
7.5.0.rc1
7.5.0.rc2
7.5.0
7.5.1
7.5.2
7.5.3
7.5.4
7.5.5
7.5.6
7.5.7
7.5.8
7.5.9
7.5.10
7.6.0.alpha1
7.6.0.alpha2
7.6.0
7.6.1
7.6.2
7.6.3
7.6.4
7.6.5
7.6.6
7.6.7
7.6.8
7.7.0
7.7.1
7.7.2
7.7.3
7.7.4
7.7.5
7.7.6
7.7.7
7.7.8
7.7.9
7.7.10
7.7.11
7.7.12
7.7.13
7.7.14
7.7.15
7.7.16
7.7.17
7.7.23
Maven / com.vaadin:vaadin-bom
Package
- Name
- com.vaadin:vaadin-bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.vaadin/vaadin-bom
Affected versions
8.*
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.0.7
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.7.0.beta1
8.7.0
8.7.1
8.7.2
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.9.4
8.10.0
8.10.1
8.10.2
8.10.3
8.10.4
8.10.5
8.11.0
8.11.1
8.11.2
8.11.3
8.12.0
8.12.1
8.12.2
Maven / com.vaadin:vaadin-server
Package
- Name
- com.vaadin:vaadin-server
- View open source insights on deps.dev
- Purl
- pkg:maven/com.vaadin/vaadin-server
Affected versions
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.1.0.beta1
7.1.0
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
7.1.7
7.1.8
7.1.9
7.1.10
7.1.11
7.1.12
7.1.13
7.1.14
7.1.15
7.2.0.beta1
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.3.0.alpha1
7.3.0.alpha2
7.3.0.alpha3
7.3.0.beta1
7.3.0.rc1
7.3.0
7.3.1
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6
7.3.7
7.3.8
7.3.9
7.3.10
7.4.0.alpha1
7.4.0.alpha2
7.4.0.alpha3
7.4.0.alpha4
7.4.0.alpha5
7.4.0.alpha6
7.4.0.alpha7
7.4.0.alpha8
7.4.0.alpha9
7.4.0.alpha10
7.4.0.alpha11
7.4.0.alpha12
7.4.0.alpha13
7.4.0.alpha14
7.4.0.beta1
7.4.0.beta2
7.4.0.beta3
7.4.0.rc1
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6
7.4.7
7.4.8
7.5.0.alpha1
7.5.0.beta1
7.5.0.beta2
7.5.0.beta3
7.5.0.rc1
7.5.0.rc2
7.5.0
7.5.1
7.5.2
7.5.3
7.5.4
7.5.5
7.5.6
7.5.7
7.5.8
7.5.9
7.5.10
7.6.0.alpha1
7.6.0.alpha2
7.6.0
7.6.1
7.6.2
7.6.3
7.6.4
7.6.5
7.6.6
7.6.7
7.6.8
7.7.0
7.7.1
7.7.2
7.7.3
7.7.4
7.7.5
7.7.6
7.7.7
7.7.8
7.7.9
7.7.10
7.7.11
7.7.12
7.7.13
7.7.14
7.7.15
7.7.16
7.7.17
7.7.23
Maven / com.vaadin:vaadin-server
Package
- Name
- com.vaadin:vaadin-server
- View open source insights on deps.dev
- Purl
- pkg:maven/com.vaadin/vaadin-server
Affected versions
8.*
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.0.7
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.7.0.beta1
8.7.0
8.7.1
8.7.2
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.9.4
8.10.0
8.10.1
8.10.2
8.10.3
8.10.4
8.10.5
8.11.0
8.11.1
8.11.2
8.11.3
8.12.0
8.12.1
8.12.2