7.1

CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VaadinFlow Version >= 5.0.0 < 6.0.0
VaadinFlow Version >= 6.0.0 < 6.0.5
VaadinVaadin Version >= 19.0.0 < 19.0.4
VaadinVaadin Version18.0.0 Update-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.148
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvd@nist.gov 3.3 3.4 4.9
AV:L/AC:M/Au:N/C:P/I:P/A:N
security@vaadin.com 6.3 1 5.2
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/vaadin/flow/pull/10577
Patch
Third Party Advisory