CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
cpe:2.3:a:vaadin:vaadin:18.0.0:-:*:*:*:*:*:*

History

21 Nov 2024, 06:05

Type Values Removed Values Added
References () https://github.com/vaadin/flow/pull/10577 - Patch, Third Party Advisory () https://github.com/vaadin/flow/pull/10577 - Patch, Third Party Advisory
References () https://vaadin.com/security/cve-2021-31408 - Vendor Advisory () https://vaadin.com/security/cve-2021-31408 - Vendor Advisory
CVSS v2 : 3.3
v3 : 7.1
v2 : 3.3
v3 : 6.3

Information

Published : 2021-04-23 17:15

Updated : 2024-11-21 06:05


NVD link : CVE-2021-31408

Mitre link : CVE-2021-31408

CVE.ORG link : CVE-2021-31408


JSON object : View

Products Affected

vaadin

  • flow
  • vaadin
CWE
CWE-613

Insufficient Session Expiration