Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Remediation
References
https://github.com/vaadin/flow/pull/10640
https://vaadin.com/security/cve-2021-31411
Related Vulnerabilities
CVE-2020-5228 Vulnerability in maven package org.opencastproject:opencast-oaipmh-api
CVE-2020-28423 Vulnerability in npm package monorepo-build
CVE-2010-2273 Vulnerability in npm package dojo
CVE-2020-1912 Vulnerability in npm package hermes-engine
CVE-2020-7691 Vulnerability in maven package org.webjars.bower:jspdf