4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-31404

GHSA ID

GHSA-xwg3-qrcg-w9x6

EPSS Score

0.13888%

CWE

CWE-203

Published

4/19/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-31404

CVE-2021-31404:
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 through 13), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.

https://vaadin.com/security/cve-2021-31404

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-31404

GHSA ID

GHSA-xwg3-qrcg-w9x6

EPSS Score

0.13888%

CWE

CWE-203

Published

4/19/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.vaadin:flow-server	maven	>= 1.0.0, < 1.0.14	1.0.14
com.vaadin:flow-server	maven	>= 1.1.0, < 2.4.7	2.4.7
com.vaadin:flow-server	maven	>= 3.0.0, < 5.0.3	5.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in security token comparisons using String.equals() which leaks timing information. The patches explicitly modify three comparison points across different handlers (CSRF, push ID, and upload security) to use constant-time MessageDigest.isEqual. The original unpatched versions of these functions would appear in runtime profiles during token validation when processing malicious requests. Each identified function directly handles security-critical comparisons and shows clear evidence of insecure pre-patch implementations in the provided diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Non-*onst*nt-tim* *omp*rison o* *SR* tok*ns in UI*L r*qu*st **n*l*r in `*om.v***in:*low-s*rv*r` v*rsions *.*.* t*rou** *.*.** (V***in **.*.* t*rou** **.*.**), *.*.* prior to *.*.* (V***in ** t*rou** **), *.*.* t*rou** *.*.* (V***in **.*.* t*rou** **.

Reasoning

T** vuln*r**ility m*ni**sts in s**urity tok*n *omp*risons usin* `Strin*.*qu*ls()` w*i** l**ks timin* in*orm*tion. T** p*t***s *xpli*itly mo*i*y t*r** *omp*rison points **ross *i***r*nt **n*l*rs (*SR*, pus* I*, *n* uplo** s**urity) to us* *onst*nt-tim

4

Basic Information

Concerned about an active attack path?

CVE-2021-31404: Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-31404:
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18

Vulnerability Intelligence
Miggo AI