CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/vaadin-server

Identifier

CVE-2021-31404

Package Slug

maven/com.vaadin/vaadin-server

Vulnerability

Information Exposure Through Discrepancy

Description

A non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server allows attackers to guess a security token via a timing attack.

Affected Versions

All versions starting from 10.0.0 before 10.0.17, all versions starting from 11.0.0 before 18.0.6

Solution

Upgrade to version 10.0.17 or 18.0.6 or above.

Last Modified

2021-05-10

source