Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
CVE-2021-31404

4MEDIUM

Key Information:

Vendor

Vaadin

Status
Vaadin
Flow-server
Vendor
CVE Published:
23 April 2021

What is CVE-2021-31404?

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

flow-server 1.0.0

Vaadin 10.0.0

References

https://vaadin.com/security/cve-2021-31404
x_refsource_MISC
https://github.com/vaadin/flow/pull/9875
x_refsource_MISC

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered and responsibly reported by Xhelal Likaj.
JSON
.