Miggo Logo
Miggo Vulnerability Database
CVE-2021-31406

CVE-2021-31406: Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-31406
GHSA ID
GHSA-p7jq-v8jp-j424
EPSS Score
0.16933%
CWE
CWE-203
Published
4/19/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.vaadin:flow-servermaven>= 3.0.0, < 5.0.45.0.4
com.vaadin:flow-servermaven= 6.0.06.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from non-constant-time comparisons of security tokens using String.equals(). All four functions were explicitly modified across multiple commits to replace equals() with MessageDigest.isEqual(), as shown in the patch diffs. These functions directly handle security-critical token comparisons (CSRF tokens, push IDs, upload security keys) and their pre-patch implementations would appear in runtime profiles during token validation when an attacker sends malicious requests. The confidence is high because the patch evidence directly shows insecure comparisons being replaced with constant-time equivalents in security-sensitive contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Non-*onst*nt-tim* *omp*rison o* *SR* tok*ns in *n*point r*qu*st **n*l*r in `*om.v***in:*low-s*rv*r` v*rsions *.*.* t*rou** *.*.* (V***in **.*.* t*rou** **.*.*), *n* *om.v***in:*usion-*n*point v*rsion *.*.* (V***in **.*.*) *llows *tt**k*r to *u*ss * s

Reasoning

T** vuln*r**ility st*ms *rom non-*onst*nt-tim* *omp*risons o* s**urity tok*ns usin* `Strin*.*qu*ls()`. *ll *our `*un*tions` w*r* *xpli*itly mo*i*i** **ross multipl* *ommits to r*pl*** `*qu*ls()` wit* `M*ss****i**st.is*qu*l()`, *s s*own in t** p*t** *