GHSA-9h6g-6mxg-vvp4

Source

https://github.com/advisories/GHSA-9h6g-6mxg-vvp4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-9h6g-6mxg-vvp4/GHSA-9h6g-6mxg-vvp4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9h6g-6mxg-vvp4

Published

2021-04-19T14:47:18Z

Modified

2024-12-02T05:45:00.685897Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Details

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

https://vaadin.com/security/cve-2021-31406

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-208"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:13:06Z"
}

References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

19.0.0

Fixed

19.0.1

Affected versions

19.*

19.0.0

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0

Fixed

18.0.7

Affected versions

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.0.5

15.0.6

16.*

16.0.0

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

17.*

17.0.0

17.0.1

17.0.2

17.0.3

17.0.4

17.0.6

17.0.7

17.0.8

17.0.9

17.0.10

17.0.11

18.*

18.0.0

18.0.1

18.0.2

18.0.3

18.0.4

18.0.5

18.0.6