Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Remediation
References
https://github.com/vaadin/flow/pull/10640
https://vaadin.com/security/cve-2021-31411
Related Vulnerabilities
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-hive
CVE-2021-3807 Vulnerability in npm package ansi-regex
CVE-2021-26272 Vulnerability in npm package ckeditor4-dev
CVE-2020-8137 Vulnerability in npm package fastify
CVE-2010-5312 Vulnerability in maven package org.webjars:jquery-ui