Cross site request forgery (csrf)

2021-04-2316:15:00

PRIOn knowledge base

www.prio-n.com

3.8 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

CPENameOperatorVersion
flowge3.0.0
flowlt5.0.4
floweq6.0.0
vaadineq19.0.0
vaadinge15.0.0
vaadinlt18.0.7

Name	Operator	Version
flow	ge	3.0.0
flow	lt	5.0.4
flow	eq	6.0.0
vaadin	eq	19.0.0
vaadin	ge	15.0.0
vaadin	lt	18.0.7

References

github.com/vaadin/flow/pull/10157

vaadin.com/security/cve-2021-31406