CVE-2021-31408 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

2021-04-2000:00:00

CWE-613

Vaadin

www.cve.org

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

28.1%

JSON

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

CNA Affected

[
  {
    "product": "Vaadin",
    "vendor": "Vaadin",
    "versions": [
      {
        "changes": [
          {
            "at": "19.0.0",
            "status": "unaffected"
          },
          {
            "at": "19.0.0",
            "status": "affected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "18.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "flow-client",
    "vendor": "Vaadin",
    "versions": [
      {
        "changes": [
          {
            "at": "6.0.0",
            "status": "unaffected"
          },
          {
            "at": "6.0.0",
            "status": "affected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "5.0.0",
        "versionType": "custom"
      }
    ]
  }
]