CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Published: Apr 23, 2021
Updated: May 9, 2024
CVE: CVE-2021-31408
GHSA: GHSA-mr8h-j9cv-4m8h
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Low
Score: 3.3
AV:L/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-287
CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
vaadin / flow	5.0.0	6.0.0
vaadin / flow	6.0.0	6.0.5
vaadin / vaadin	19.0.0	19.0.4
vaadin / vaadin	18.0.0	18.0.0.x
com.vaadin / vaadin-bom	18.0.0	19.0.4

https://github.com/vaadin/flow/pull/10577
https://github.com/vaadin/platform/security/advisories/GHSA-mr8h-j9cv-4m8h
https://vaadin.com/security/cve-2021-31408

Vulnerability Database

291,049

CVE-2021-31408