1. Home
  2. CVE Database
  3. CVE-2021-31408
MEDIUM · 6.3

CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combina...

Vulnerability Description

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
VaadinFlow>= 5.0.0, < 6.0.0
VaadinVaadin>= 19.0.0, < 19.0.4

Related Weaknesses (CWE)

CWE-613

References

FAQ

What is CVE-2021-31408?

CVE-2021-31408 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combina...

How severe is CVE-2021-31408?

CVE-2021-31408 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-31408?

Check the references section above for vendor advisories and patch information. Affected products include: Vaadin Flow, Vaadin Vaadin.