Lucene search

[email protected]NVD:CVE-2021-31408

HistoryApr 23, 2021 - 5:15 p.m.

CVE-2021-31408

2021-04-2317:15:08

CWE-613

[email protected]

web.nvd.nist.gov

3.3 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:P/A:N

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

28.1%

JSON

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Affected configurations

NVD

Node

vaadinflowRange5.0.0–6.0.0

vaadinflowRange6.0.0–6.0.5

vaadinvaadinRange19.0.0–19.0.4

vaadinvaadinMatch18.0.0-

References

github.com/vaadin/flow/pull/10577

vaadin.com/security/cve-2021-31408

3.3 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:P/A:N

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

28.1%

JSON

Related for NVD:CVE-2021-31408

cve1 vaadin1 osv3 prion1 veracode1 github2 cvelist1