CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

CVSS v3 7.1 HIGH
CVSS v2.0 3.3 LOW

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 3.4 / Impact : 4.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/vaadin/flow/pull/10577	Patch Third Party Advisory
https://vaadin.com/security/cve-2021-31408	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:flow::::::::
	cpe:2.3:a:vaadin:vaadin::::::::
	cpe:2.3:a:vaadin:vaadin:18.0.0:-::::::

History

04 May 2021, 16:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 3.3 v3 : 7.1
CWE		CWE-613
CPE		cpe:2.3:a:vaadin:vaadin:18.0.0:-:::::: cpe:2.3:a:vaadin:flow:::::::: cpe:2.3:a:vaadin:vaadin::::::::
References	~~(MISC) https://github.com/vaadin/flow/pull/10577 -~~	(MISC) https://github.com/vaadin/flow/pull/10577 - Patch, Third Party Advisory
References	~~(MISC) https://vaadin.com/security/cve-2021-31408 -~~	(MISC) https://vaadin.com/security/cve-2021-31408 - Vendor Advisory

23 Apr 2021, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-04-23 17:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-31408

Mitre link : CVE-2021-31408

CVE.ORG link : CVE-2021-31408

JSON object : View

Products Affected

vaadin

flow
vaadin

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2021-31408", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@vaadin.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.0}]}, "published": "2021-04-23T17:15:08.260", "references": [{"url": "https://github.com/vaadin/flow/pull/10577", "tags": ["Patch", "Third Party Advisory"], "source": "security@vaadin.com"}, {"url": "https://vaadin.com/security/cve-2021-31408", "tags": ["Vendor Advisory"], "source": "security@vaadin.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}, {"type": "Secondary", "source": "security@vaadin.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out."}, {"lang": "es", "value": "El asistente Authentication.logout() en com.vaadin:flow-client versiones 5.0.0 anteriores a 6.0.0 (Vaadin 18) y versiones 6.0.0 hasta 6.0.4 (versiones Vaadin 19.0.0 hasta 19.0.3) usan un m\u00e9todo HTTP incorrecto , que, en combinaci\u00f3n con la protecci\u00f3n CSRF de Spring Security, permite a atacantes locales acceder a endpoints de Fusion despu\u00e9s de que el usuario intenta cerrar la sesi\u00f3n"}], "lastModified": "2021-05-04T16:19:43.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "138C0A40-EC8F-4F6F-B907-1F5282B83958", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9CCDECF-655E-48E5-ADEC-F5189C6E043D", "versionEndExcluding": "6.0.5", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74A5FA0C-C1AE-496E-8601-A9CC193F750E", "versionEndExcluding": "19.0.4", "versionStartIncluding": "19.0.0"}, {"criteria": "cpe:2.3:a:vaadin:vaadin:18.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0C90C81-A26F-4686-BC0C-6D86C3620F5C"}], "operator": "OR"}]}], "sourceIdentifier": "security@vaadin.com"}