CVE-2021-31404: 
Java vulnerability analysis and mitigation

CVE-2021-31404 is a timing side channel vulnerability discovered in the UIDL request handler of Vaadin framework versions 10 through 18. The vulnerability was identified in the flow-server component, affecting versions from 1.0.0 through 5.0.2, and was disclosed on April 23, 2021. The issue stems from non-constant-time comparison of CSRF tokens in the request handler (Vaadin Security).

The vulnerability is classified with a Medium severity rating and a CVSS v3.1 base score of 4.0 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). The issue is categorized under CWE-208 (Observable Timing Discrepancy) and involves the non-constant-time comparison of security tokens used for CSRF protection, Push requests, and Upload request management (Vaadin Security).

The vulnerability could potentially allow attackers to guess security tokens through timing attacks. If successfully exploited, attackers could submit data on behalf of users without reading responses, or open websockets to listen for published data from the server. The exposed tokens could potentially lead to unauthorized access to sensitive information depending on the application's nature (Vaadin Security).

The vulnerability has been fixed by implementing constant-time comparison for all security tokens. Users of affected versions are advised to upgrade to the following patched versions: Vaadin 10.0.0-10.0.16 should upgrade to 10.0.17 or newer, Vaadin 14.0.0-14.4.6 should upgrade to 14.4.7 or newer, and Vaadin 18.0.0-18.0.5 should upgrade to 18.0.6 or newer. Users of versions 11-13 and 15-17, which are no longer supported, should upgrade to either the latest 14 or 18 version respectively (Vaadin Security).

The vulnerability was discovered and responsibly reported by security researcher Xhelal Likaj. The fix was implemented through a pull request that introduced time-constant comparison for CSRF tokens, which was merged and subsequently cherry-picked to multiple versions of the framework (GitHub PR).