Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://github.com/vaadin/flow/pull/10640

https://vaadin.com/security/cve-2021-31411

Related Vulnerabilities

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk15on

CVE-2022-21803 Vulnerability in maven package org.webjars.npm:nconf

CVE-2013-2071 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2021-25913 Vulnerability in npm package set-or-get

CVE-2017-16031 Vulnerability in npm package socket.io

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other