CVE-2021-31406
4
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Vaadin | Vaadin | 19.0.0 | affected |
| Vaadin | Vaadin | 15.0.0 < * | affected |
| Vaadin | flow-server | 6.0.0 | affected |
| Vaadin | flow-server | 3.0.0 < * | affected |
Weaknesses
- CWE-208: CWE-208 Information Exposure Through Timing Discrepancy
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.