CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow-client

Identifiers

CVE-2021-31406

Package Slug

maven/com.vaadin/flow-client

Vulnerability

Information Exposure Through Discrepancy

Description

A non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server, and com.vaadin:fusion-endpoint allows an attacker to guess a security token for Fusion endpoints via timing attack.

Affected Versions

All versions starting from 15.0.0 before 18.0.7, versions starting 19.0.0 before 19.0.1

Solution

Upgrade to version 18.0.7 or 19.0.1 or above.

Last Modified

2021-05-10

source