CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow-server

Identifier

CVE-2021-31406

Package Slug

maven/com.vaadin/flow-server

Vulnerability

Information Exposure Through Discrepancy

Description

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server allows attacker to guess a security token for Fusion endpoints via timing attack.

Affected Versions

All versions starting from 3.0.0 through 5.0.3

Solution

Upgrade to version 5.0.4 or above.

Last Modified

2021-05-07

source