CVE-2021-31403

Опубликовано: 23 апр. 2021

Источник: nvd

CVSS3: 4

CVSS3: 2.5

CVSS2: 1.9

EPSS Низкий

Описание

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack

Ссылки

https://github.com/vaadin/framework/pull/12188
Patch
Third Party Advisory
https://github.com/vaadin/framework/pull/12190
Patch
Third Party Advisory
https://vaadin.com/security/cve-2021-31403
Vendor Advisory
https://github.com/vaadin/framework/pull/12188
Patch
Third Party Advisory
https://github.com/vaadin/framework/pull/12190
Patch
Third Party Advisory
https://vaadin.com/security/cve-2021-31403
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Версия от 7.0.0 (включая) до 7.7.24 (исключая)

cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.12.3 (исключая)

EPSS

Процентиль: 31%

0.00116

Низкий

4 Medium

CVSS3

2.5 Low

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-208

CWE-203

Связанные уязвимости

GHSA-75xc-qvxh-27f8

CVSS3: 4

github

почти 5 лет назад

Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8

EPSS

Процентиль: 31%

0.00116

Низкий

4 Medium

CVSS3

2.5 Low

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-208

CWE-203