GHSA-6hgr-2g6q-3rmc: 
Java vulnerability analysis and mitigation

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) contains a vulnerability related to session invalidation during logout. The issue was discovered and disclosed in April 2021, affecting Vaadin Flow applications that use the Authentication module's logout() helper method in combination with Spring Security CSRF protection (Vaadin Security).

The vulnerability stems from the Authentication.logout() helper using an incorrect HTTP method for logout operations. When Spring CSRF protection is enabled (which is the default in Spring Security), only HTTP POST requests are allowed for logout operations. However, the affected versions use HTTP GET requests, which fail to properly invalidate the session when CSRF protection is enabled. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Moderate) with vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory).

When exploited, this vulnerability allows local attackers to continue accessing Fusion endpoints even after a user has attempted to log out. This creates a significant security risk as it fails to properly terminate user sessions, potentially exposing sensitive information and functionality to unauthorized access (Vaadin Security).

The recommended mitigation is to upgrade to patched versions: Vaadin 19.0.4 or newer for Vaadin 19.x users. For Vaadin 18 users, which is no longer supported, upgrading to Vaadin 19.0.4 or a newer version is mandatory. The specific fix was implemented in com.vaadin:flow-client version 6.0.5. While it's possible to disable CSRF protection for logout, this approach is not recommended from a security standpoint (Vaadin Security).