Skip to content

Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

Moderate severity GitHub Reviewed Published Apr 20, 2021 in vaadin/flow • Updated Apr 17, 2023

Package

maven com.vaadin:flow-client (Maven)

Affected versions

>= 5.0.0, < 6.0.5

Patched versions

6.0.5

Description

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

References

@fluorumlabs fluorumlabs published to vaadin/flow Apr 20, 2021
Reviewed Apr 22, 2021
Published to the GitHub Advisory Database Apr 22, 2021
Last updated Apr 17, 2023

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6hgr-2g6q-3rmc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.