CVE-2021-31404

MEDIUM

Vaadin Flow 1.0.0-1.0.13 and Vaadin 10.0.0-10.0.16 - Observable Timing Discrepancy in CSRF Token Comparison

Title source: llm
STIX 2.1

Description

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://vaadin.com/security/cve-2021-31404
Patch, Third Party Advisory x_refsource_misc
https://github.com/vaadin/flow/pull/9875

Scores

CVSS v3 4.0
EPSS 0.0021
EPSS Percentile 11.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-208 CWE-203
Status published
Products (3)
com.vaadin/flow-server 1.0.0 - 1.0.14Maven
vaadin/flow 1.0.0 - 1.0.14
vaadin/vaadin 10.0.0 - 10.0.17
Published Apr 23, 2021
Tracked Since Feb 18, 2026