CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow

Identifier

CVE-2021-31406

Package Slug

maven/com.vaadin/flow

Vulnerability

Information Exposure Through Discrepancy

Description

Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack.

Affected Versions

All versions starting from 3.0.0 before 5.0.4, version 6.0.0

Solution

Upgrade to versions 5.0.4, 6.0.1 or above.

Last Modified

2021-05-03

source