PT-2021-19289 · Vaadin · Com.Vaadin:Flow-Client

Published

2021-04-22

Updated

2021-05-04

CVE-2021-31408

CVSS v3.1

6.3

Medium

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-client versions 5.0.0 through 6.0.4

Description The Authentication.logout() helper in com.vaadin:flow-client uses an incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Recommendations For versions 5.0.0 through 6.0.4, consider disabling the Authentication.logout() helper until a patch is available to prevent local attackers from accessing Fusion endpoints after a user logs out. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficient Session Expiration

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-287

Related Identifiers

CVE-2021-31408

GHSA-6HGR-2G6Q-3RMC

GHSA-MR8H-J9CV-4M8H

Affected Products

Com.Vaadin:Flow-Client

PT-2021-19289 · Vaadin · Com.Vaadin:Flow-Client

CVE-2021-31408

Weakness Enumeration

Related Identifiers

Affected Products

References · 12