CVE-2021-31406: 
Java vulnerability analysis and mitigation

A timing side-channel vulnerability was identified in Vaadin's endpoint request handler, tracked as CVE-2021-31406. The vulnerability affects com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6) and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0). The issue stems from non-constant-time comparison of CSRF tokens in the endpoint request handler, which could potentially allow attackers to guess security tokens for Fusion endpoints through timing attacks (Vaadin Advisory).

The vulnerability is classified as CWE-208 (Observable Timing Discrepancy) and CWE-203 (Observable Discrepancy). It received a CVSS v3.1 base score of 4.0 (MEDIUM) with vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N according to Vaadin Ltd., while NIST assigned a base score of 2.5 (LOW) with vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The timing attacks could potentially lead to exposure of user tokens, which could be exploited to submit data on behalf of users without the ability to read responses. Additionally, attackers could potentially open websockets and listen for published data from the server for affected users, which might contain sensitive information depending on the application's nature (Vaadin Advisory).

The vulnerability has been fixed by implementing constant-time comparison for all security tokens. Users of affected versions are advised to upgrade to patched versions: Vaadin 18.0.0-18.0.6 should upgrade to 18.0.7 or newer, and Vaadin 19.0.0 should upgrade to 19.0.1 or newer. Versions 15-17 are no longer supported and users should update to the latest version 18 (Vaadin Advisory).