Vulnerabilities > CVE-2021-31408 - Insufficient Session Expiration vulnerability in Vaadin Flow and Vaadin

CVSS 3.3 - LOW

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

local

vaadin

CWE-613

NVD

Published: 2021-04-23

Updated: 2021-05-04

Summary

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Vulnerable Configurations

Part	Description	Count
Application	Vaadin Vaadin Flow 5.0.0 Vaadin Flow 5.0.1 Vaadin Flow 5.0.2 Vaadin Flow 5.0.3 Vaadin Flow 5.0.4 Vaadin Flow 6.0.0 Vaadin Flow 6.0.1 Vaadin Flow 6.0.2 Vaadin Flow 6.0.3 Vaadin Flow 6.0.4 Vaadin Vaadin 18.0.0 Vaadin Vaadin 19.0.0 Vaadin Vaadin 19.0.1 Vaadin Vaadin 19.0.2 Vaadin Vaadin 19.0.3	39

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References