CVE-2021-31404
Summary
| CVE | CVE-2021-31404 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-23 16:15:00 UTC |
| Updated | 2021-04-30 19:00:00 UTC |
| Description | Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack. |
Risk And Classification
Problem Types: CWE-203
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Use time-constant comparison for CSRF tokens by Legioth · Pull Request #9875 · vaadin/flow · GitHub | CONFIRM | github.com | |
| CVE-2021-31404: Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 | CONFIRM | vaadin.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was discovered and responsibly reported by Xhelal Likaj.
Legacy QID Mappings
- 982691 Java (maven) Security Update for com.vaadin:flow-server (GHSA-xwg3-qrcg-w9x6)