CVE-2021-31406 - Vulnerability Details - OpenCVE

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Key SSVC decision points have not yet been added.

Vendors	Products
Vaadin	Flow Vaadin

Configuration 1 [-]

OR	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow:6.0.0:-::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin:19.0.0:-::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0850	Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
Github GHSA	GHSA-p7jq-v8jp-j424	Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/vaadin/flow/pull/10157
https://vaadin.com/security/cve-2021-31406

History

No history.

MITRE

Status: PUBLISHED

Assigner: Vaadin

Published: 2021-04-23T16:05:41.375797Z

Updated: 2024-09-17T00:02:31.310Z

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31406

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-23T16:15:08.727

Modified: 2024-11-21T06:05:35.980

Link: CVE-2021-31406

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Vaadin", "vendor": "Vaadin", "versions": [{"status": "affected", "version": "19.0.0"}, {"lessThan": "*", "status": "affected", "version": "15.0.0", "versionType": "custom"}]}, {"product": "flow-server", "vendor": "Vaadin", "versions": [{"status": "affected", "version": "6.0.0"}, {"lessThan": "*", "status": "affected", "version": "3.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered and responsibly reported by Xhelal Likaj."}], "datePublic": "2021-03-19T00:00:00", "descriptions": [{"lang": "en", "value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Information Exposure Through Timing Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-23T16:05:41", "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "shortName": "Vaadin"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://vaadin.com/security/cve-2021-31406"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vaadin/flow/pull/10157"}], "source": {"discovery": "EXTERNAL"}, "title": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@vaadin.com", "DATE_PUBLIC": "2021-03-19T09:17:00.000Z", "ID": "CVE-2021-31406", "STATE": "PUBLIC", "TITLE": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vaadin", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "15.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "18.0.6 +1"}, {"platform": "", "version_affected": "=", "version_name": "", "version_value": "19.0.0"}]}}, {"product_name": "flow-server", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "3.0.0"}, {"platform": "", "version_affected": "<=", "version_name": "", "version_value": "5.0.3 +1"}, {"platform": "", "version_affected": "=", "version_name": "", "version_value": "6.0.0"}]}}]}, "vendor_name": "Vaadin"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "This issue was discovered and responsibly reported by Xhelal Likaj."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-208 Information Exposure Through Timing Discrepancy"}]}]}, "references": {"reference_data": [{"name": "https://vaadin.com/security/cve-2021-31406", "refsource": "MISC", "url": "https://vaadin.com/security/cve-2021-31406"}, {"name": "https://github.com/vaadin/flow/pull/10157", "refsource": "MISC", "url": "https://github.com/vaadin/flow/pull/10157"}]}, "solution": [], "source": {"advisory": "", "defect": [], "discovery": "EXTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.767Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vaadin.com/security/cve-2021-31406"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vaadin/flow/pull/10157"}]}]}, "cveMetadata": {"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e", "assignerShortName": "Vaadin", "cveId": "CVE-2021-31406", "datePublished": "2021-04-23T16:05:41.375797Z", "dateReserved": "2021-04-15T00:00:00", "dateUpdated": "2024-09-17T00:02:31.310Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A738EE8-ED33-4DF3-9B27-4BEDA32DAF13", "versionEndExcluding": "5.0.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:flow:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "E257F9BA-A8BF-419A-B7C9-49815A837DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "matchCriteriaId": "56B0887F-B5F8-49C2-8D19-C72F99C053D0", "versionEndExcluding": "18.0.7", "versionStartIncluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vaadin:vaadin:19.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "B26A2E69-D944-4470-A8C3-C5E80DDECFF5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack."}, {"lang": "es", "value": "La comparaci\u00f3n non-constant-time de tokens CSRF en el manejador de peticiones de endpoint en com.vaadin:flow-server versiones 3.0.0 hasta 5.0.3 (Vaadin versiones 15.0.0 hasta 18.0.6) y com.vaadin:fusion-endpoint versi\u00f3n 6.0.0 (Vaadin versi\u00f3n 19.0.0), permite al atacante adivinar un token de seguridad para los endpoints de Fusion por medio de un ataque de sincronizaci\u00f3n"}], "id": "CVE-2021-31406", "lastModified": "2024-11-21T06:05:35.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 2.5, "source": "security@vaadin.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-23T16:15:08.727", "references": [{"source": "security@vaadin.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/10157"}, {"source": "security@vaadin.com", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-31406"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vaadin/flow/pull/10157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://vaadin.com/security/cve-2021-31406"}], "sourceIdentifier": "security@vaadin.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security@vaadin.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}