2.5 - CVE-2021-31406

Executive Summary

Informations
Name	CVE-2021-31406	First vendor Publication	2021-04-23
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Overall CVSS Score	2.5
Base Score	2.5	Environmental Score	2.5
impact SubScore	1.4	Temporal Score	2.5
Exploitabality Sub Score	1

Attack Vector	Local	Attack Complexity	High
Privileges Required	Low	User Interaction	None
Scope	Unchanged	Confidentiality Impact	Low
Integrity Impact	None	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score	1.9	Attack Range	Local
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	3.4	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31406

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-203	Information Exposure Through Discrepancy

CPE : Common Platform Enumeration

Type	Description	Count
Application	Vaadin Flow cpe:2.3:a:vaadin:flow:6.0.0:-:::::: cpe:2.3:a:vaadin:flow::::::::	2
Application	Vaadin cpe:2.3:a:vaadin:vaadin:19.0.0:-:::::: cpe:2.3:a:vaadin:vaadin:18.0.0:-:::::: cpe:2.3:a:vaadin:vaadin::::::::	3

Sources (Detail)

https://github.com/vaadin/flow/pull/10157
https://vaadin.com/security/cve-2021-31406

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 13:56:27	Multiple Updates
2021-05-05 00:22:52	Multiple Updates
2021-05-04 13:23:43	Multiple Updates
2021-05-01 00:22:48	Multiple Updates
2021-04-23 21:23:08	First insertion