Miggo Logo

CVE-2021-31408: Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.30706%
Published
4/22/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.vaadin:vaadin-bommaven>= 18.0.0, < 19.0.419.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches provided show changes to the Authentication.ts file, specifically to the logout and doLogout functions, which are related to the logout functionality. The changes fix the vulnerability by using the correct HTTP method and including CSRF tokens. The updateSpringCsrfMetaTag function is also related to CSRF token handling and was modified as part of the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`*ut**nti**tion.lo*out()` **lp*r in `*om.v***in:*low-*li*nt` v*rsions *.*.* prior to *.*.* (V***in **), *n* *.*.* t*rou** *.*.* (V***in **.*.* t*rou** **.*.*) us*s in*orr**t *TTP m*t*o*, w*i**, in *om*in*tion wit* Sprin* S**urity *SR* prot**tion, *ll

Reasoning

T** p*t***s provi*** s*ow ***n**s to t** `*ut**nti**tion.ts` *il*, sp**i*i**lly to t** `lo*out` *n* `*oLo*out` *un*tions, w*i** *r* r*l*t** to t** lo*out *un*tion*lity. T** ***n**s *ix t** vuln*r**ility *y usin* t** *orr**t *TTP m*t*o* *n* in*lu*in*