CVE-2021-31406
maven/com.vaadin/vaadin-server
Information Exposure Through Discrepancy
A non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server
, and com.vaadin:fusion-endpoint
allows attacker to guess a security token for Fusion endpoints via timing attack.
All versions starting from 15.0.0 before 18.0.7, all versions starting from 19.0.0 before 19.0.1
Upgrade to version 18.0.7 or 19.0.1 or above.
2021-05-10
source |