CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/vaadin-server

Identifiers

CVE-2021-31406

Package Slug

maven/com.vaadin/vaadin-server

Vulnerability

Information Exposure Through Discrepancy

Description

A non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server, and com.vaadin:fusion-endpoint allows attacker to guess a security token for Fusion endpoints via timing attack.

Affected Versions

All versions starting from 15.0.0 before 18.0.7, all versions starting from 19.0.0 before 19.0.1

Solution

Upgrade to version 18.0.7 or 19.0.1 or above.

Last Modified

2021-05-10

source