Description
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
Remediation
References
https://github.com/vaadin/flow/pull/9875
https://vaadin.com/security/cve-2021-31404
Related Vulnerabilities
CVE-2019-10061 Vulnerability in npm package opencv
CVE-2021-27405 Vulnerability in npm package @progfay/scrapbox-parser
CVE-2018-1000067 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-18212 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.web
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elasticsearch