CVE-2021-31408

Insufficient Session Expiration in maven/com.vaadin/vaadin-server

Identifier

CVE-2021-31408

Package Slug

maven/com.vaadin/vaadin-server

Vulnerability

Insufficient Session Expiration

Description

The Authentication.logout() helper in com.vaadin:flow-client uses an incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Affected Versions

All versions starting from 18.0.0 up to 19.0.4

Solution

Upgrade to version 19.0.4 or above

Last Modified

2021-05-10

source