Description
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Vaadin | Vaadin | affected |
|
|||||||||
| Vaadin | flow-server | affected |
|
Configuration 1 [-]
|
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2021-0850 | Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack. |
 Github GHSA |
GHSA-p7jq-v8jp-j424 | Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Vaadin
Published:
Updated: 2024-09-17T00:02:31.310Z
Reserved: 2021-04-15T00:00:00.000Z
Link: CVE-2021-31406
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-04-23T16:15:08.727
Modified: 2024-11-21T06:05:35.980
Link: CVE-2021-31406
Redhat
No data.
OpenCVE Enrichment
No data.