{"id":"CVE-2021-31403","details":"Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack","aliases":["GHSA-75xc-qvxh-27f8"],"modified":"2026-05-31T04:39:10.390304Z","published":"2021-04-23T16:15:08.600Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2021-31403"},{"type":"FIX","url":"https://github.com/vaadin/framework/pull/12188"},{"type":"FIX","url":"https://github.com/vaadin/framework/pull/12190"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/framework","events":[{"introduced":"b29ce01468ed115e942105986da362d665408033"},{"fixed":"ebfc693f2d74965aebc6773ee696153441a822e5"},{"introduced":"fb74e3d03793a7f9c433a7be583d55e3e2d1c35d"},{"fixed":"d8ba0a4d10b7f7400b524252cd5925c58ce131a4"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.7.24"},{"introduced":"8.0.0"},{"fixed":"8.12.3"}],"cpe":"cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31403.json","vanir_signatures_modified":"2026-05-31T04:39:10Z","vanir_signatures":[{"source":"https://github.com/vaadin/framework/commit/d8ba0a4d10b7f7400b524252cd5925c58ce131a4","target":{"file":"client/src/main/java/com/vaadin/client/event/PointerEventSupportImplIE10.java","function":"getNativeEventName"},"signature_type":"Function","id":"CVE-2021-31403-3792665d","deprecated":false,"digest":{"length":56,"function_hash":"120348944873309959167790418804657867995"},"signature_version":"v1"},{"source":"https://github.com/vaadin/framework/commit/d8ba0a4d10b7f7400b524252cd5925c58ce131a4","target":{"file":"client/src/main/java/com/vaadin/client/event/PointerEventSupportImplIE10.java"},"signature_type":"Line","id":"CVE-2021-31403-89bf285d","deprecated":false,"digest":{"line_hashes":["11355839847430038605860934608170974081","93337319848138399291306679006129482278","210041750547152914784396289145157538072","239308953588520565464957408716344818786","130774423845043858384653373302219319406","71446160060510440618345532168139805607"],"threshold":0.9},"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}