CVE-2021-31408

MEDIUM

Vaadin Flow 5.0.0-5.9.9 and Vaadin 19.0.0-19.0.3 - Insufficient Session Expiration via Authentication.logout() Helper

Title source: llm
STIX 2.1

Description

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://vaadin.com/security/cve-2021-31408
Patch, Third Party Advisory x_refsource_misc
https://github.com/vaadin/flow/pull/10577

Scores

CVSS v3 6.3
EPSS 0.0032
EPSS Percentile 23.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE
CWE-613
Status published
Products (4)
com.vaadin/vaadin-bom 18.0.0 - 19.0.4Maven
vaadin/flow 5.0.0 - 6.0.0
vaadin/vaadin 18.0.0
vaadin/vaadin 19.0.0 - 19.0.4
Published Apr 23, 2021
Tracked Since Feb 18, 2026