Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://vaadin.com/security/cve-2021-31411

https://github.com/vaadin/flow/pull/10640

Related Vulnerabilities

CVE-2023-30867 Vulnerability in maven package org.apache.streampark:streampark

CVE-2019-10298 Vulnerability in maven package org.jenkins-ci.plugins:koji

CVE-2011-0509 Vulnerability in maven package com.vaadin:vaadin

CVE-2017-5653 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-xml

CVE-2018-1000170 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory NVD-CWE-Other