Moderate severityNVD Advisory· Published Apr 23, 2021· Updated Sep 16, 2024
Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
CVE-2021-31403
Description
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:vaadin-bomMaven | >= 7.0.0, < 7.7.24 | 7.7.24 |
com.vaadin:vaadin-bomMaven | >= 8.0.0, < 8.12.3 | 8.12.3 |
com.vaadin:vaadin-serverMaven | >= 7.0.0, < 7.7.24 | 7.7.24 |
com.vaadin:vaadin-serverMaven | >= 8.0.0, < 8.12.3 | 8.12.3 |
Affected products
2- Vaadin/vaadin-serverv5Range: 7.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-75xc-qvxh-27f8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31403ghsaADVISORY
- github.com/vaadin/framework/pull/12188ghsax_refsource_MISCWEB
- github.com/vaadin/framework/pull/12190ghsax_refsource_MISCWEB
- github.com/vaadin/framework/security/advisories/GHSA-75xc-qvxh-27f8ghsaWEB
- vaadin.com/security/cve-2021-31403ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.