CVE-2021-31406
maven/com.vaadin/flow-client
Information Exposure Through Discrepancy
A non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server
, and com.vaadin:fusion-endpoint
allows an attacker to guess a security token for Fusion endpoints via timing attack.
All versions starting from 15.0.0 before 18.0.7, versions starting 19.0.0 before 19.0.1
Upgrade to version 18.0.7 or 19.0.1 or above.
2021-05-10
source |