Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
References
Link | Resource |
---|---|
https://github.com/vaadin/flow/pull/10577 | Patch Third Party Advisory |
https://vaadin.com/security/cve-2021-31408 | Vendor Advisory |
https://github.com/vaadin/flow/pull/10577 | Patch Third Party Advisory |
https://vaadin.com/security/cve-2021-31408 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:05
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/vaadin/flow/pull/10577 - Patch, Third Party Advisory | |
References | () https://vaadin.com/security/cve-2021-31408 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : 3.3
v3 : 6.3 |
Information
Published : 2021-04-23 17:15
Updated : 2024-11-21 06:05
NVD link : CVE-2021-31408
Mitre link : CVE-2021-31408
CVE.ORG link : CVE-2021-31408
JSON object : View
Products Affected
vaadin
- flow
- vaadin
CWE
CWE-613
Insufficient Session Expiration