GHSA-9h6g-6mxg-vvp4: 
Java vulnerability analysis and mitigation

A timing side channel vulnerability was discovered in Vaadin versions 15.0.0 through 18.0.6, and 19.0.0, identified as CVE-2021-31406. The vulnerability affects the endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 and com.vaadin:fusion-endpoint version 6.0.0. The issue stems from non-constant-time comparison of CSRF tokens, which could potentially allow attackers to guess security tokens for Fusion endpoints through timing attacks. The vulnerability was discovered by Xhelal Likaj and was published on April 16, 2021 (GitHub Advisory, Vaadin Security).

The vulnerability is classified with a CVSS v3.1 base score of 4.0 (Moderate severity) with the following metrics: Attack Vector: Local, Attack Complexity: High, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, Availability: None. The technical identifier is CWE-208 (Observable Timing Discrepancy). The vulnerability exists in the token checking implementation where the time taken to reject invalid tokens could be measured, potentially exposing the system to timing-based attacks (Vaadin Security).

The exploitation of this vulnerability could result in the exposure of user tokens, which could be misused to submit data on behalf of users without the ability to read responses. Additionally, attackers could potentially open websockets and listen for published data from the server for affected users, which might contain sensitive information depending on the application's nature (Vaadin Security).

Users of affected versions are advised to upgrade to patched versions: Vaadin 18.0.0-18.0.6 should upgrade to 18.0.7 or newer, and Vaadin 19.0.0 should upgrade to 19.0.1 or newer. Versions 15-17 are no longer supported and users should update to the latest 18 version. The vulnerability has been fixed by implementing constant-time comparison for all security tokens to prevent potential timing attacks (Vaadin Security).