PT-2021-19284 · Vaadin · Vaadin-Server

Xhelal Likaj

Published

2021-04-19

Updated

2021-04-30

CVE-2021-31403

CVSS v3.1

4.0

Medium

Vector

AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 com.vaadin:vaadin-server versions 8.0.0 through 8.12.2

Description The issue is related to a non-constant-time comparison of CSRF tokens in the UIDL request handler. This allows an attacker to guess a security token via a timing attack.

Recommendations For versions 7.0.0 through 7.7.23, update to a version outside of this range to mitigate the risk. For versions 8.0.0 through 8.12.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider implementing constant-time comparison for CSRF tokens in the UIDL request handler until a patch is available.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208CWE-203

Related Identifiers

CVE-2021-31403

GHSA-75XC-QVXH-27F8

Affected Products

Vaadin-Server

PT-2021-19284 · Vaadin · Vaadin-Server

CVE-2021-31403

Weakness Enumeration

Related Identifiers

Affected Products

References · 7