CVE-2021-31409 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

2021-05-0519:07:30

CWE-400

Vaadin

www.cve.org

cve-2021-31409

server session

logout

vaadin 18-19

unsafe validation

regex

emailvalidator

resource consumption

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

54.9%

JSON

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

CNA Affected

[
  {
    "product": "Vaadin",
    "vendor": "Vaadin",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "vaadin-compatibility-server",
    "vendor": "Vaadin",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "custom"
      }
    ]
  }
]