Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-COMVAADIN-1252747
- published 21 Apr 2021
- disclosed 19 Apr 2021
- credit Xhelal Likaj
How to fix?
com.vaadin:vaadin-server to version 8.12.3, 7.7.24 or higher.
com.vaadin:vaadin-server is a Java framework for modern Java web applications.
Affected versions of this package are vulnerable to Timing Attack. Non-constant-time comparison of CSRF tokens in the UIDL request handler allows an attacker to guess a security token via timing attack.