Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 up to and including 1.0.13 (Vaadin 10.0.0 up to and including 10.0.16), 1.1.0 before 2.0.0 (Vaadin 11 before 14), 2.0.0 up to and including 2.4.6 (Vaadin 14.0.0 up to and including 14.4.6), 3.0.0 before 5.0.0 (Vaadin 15 before 18), and 5.0.0 up to and including 5.0.2 (Vaadin 18.0.0 up to and including 18.0.5) allows malicious user to guess a security token via timing attack.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vaadin flow |
||
vaadin vaadin |