CVE-2021-31403 — Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8

Description

Non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:vaadin-server` versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack - https://vaadin.com/security/cve-2021-31403

How to fix CVE-2021-31403

To remediate CVE-2021-31403, upgrade the affected package to a fixed version below.

—upgrade to 7.7.24 or later
—upgrade to 7.7.24 or later

Is CVE-2021-31403 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.0.0, < 7.7.24
>= 7.0.0, < 7.7.24

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-31403
WEBgithub.com/vaadin/framework/pull/12188
WEBgithub.com/vaadin/framework/pull/12190
WEBgithub.com/vaadin/framework/security/advisories/GHSA-75xc-qvxh-27f8
WEB