CVE-2021-31404
Description
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
Risk Information
Base Score
2.5
MODERATE
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.045
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server 1.0.14 | Windows |
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server 2.4.7 | Windows |
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server 5.0.3 | Windows |
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server for Linux 1.0.14 | Linux |
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server for Linux 2.4.7 | Linux |
| Vulnerabilities CVE-2021-31404 are fixed in Vaadin-flow-server for Linux 5.0.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234