GHSA-p7jq-v8jp-j424

Source

https://github.com/advisories/GHSA-p7jq-v8jp-j424

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-p7jq-v8jp-j424/GHSA-p7jq-v8jp-j424.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p7jq-v8jp-j424

Aliases

CVE-2021-31406

Published

2021-04-19T14:50:38Z

Modified

2023-11-08T04:05:48.283602Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Details

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

https://vaadin.com/security/cve-2021-31406

Database specific

{
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "github_reviewed_at": "2021-04-16T23:15:49Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ]
}

References

Affected packages

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

5.0.4

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1.0

3.1.1

3.1.2

3.1.3

3.1.5

3.1.6

3.1.7

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

5.*

5.0.0

5.0.1

5.0.2

5.0.3

Maven / com.vaadin:flow-server

Package

Name: com.vaadin:flow-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/flow-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.1

Affected versions

6.*

6.0.0