Moderate severityNVD Advisory· Published Apr 23, 2021· Updated Sep 16, 2024
Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
CVE-2021-31403
Description
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:vaadin-bomMaven | >= 7.0.0, < 7.7.24 | 7.7.24 |
com.vaadin:vaadin-bomMaven | >= 8.0.0, < 8.12.3 | 8.12.3 |
com.vaadin:vaadin-serverMaven | >= 7.0.0, < 7.7.24 | 7.7.24 |
com.vaadin:vaadin-serverMaven | >= 8.0.0, < 8.12.3 | 8.12.3 |
Affected products
4- ghsa-coords2 versions
>= 7.0.0, < 7.7.24+ 1 more
- (no CPE)range: >= 7.0.0, < 7.7.24
- (no CPE)range: >= 7.0.0, < 7.7.24
- Range: 7.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-75xc-qvxh-27f8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31403ghsaADVISORY
- github.com/vaadin/framework/pull/12188ghsax_refsource_MISCWEB
- github.com/vaadin/framework/pull/12190ghsax_refsource_MISCWEB
- github.com/vaadin/framework/security/advisories/GHSA-75xc-qvxh-27f8ghsaWEB
- vaadin.com/security/cve-2021-31403ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.