Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://github.com/vaadin/flow/pull/10640

https://vaadin.com/security/cve-2021-31411

Related Vulnerabilities

CVE-2019-17495 Vulnerability in maven package org.webjars.npm:swagger-ui

CVE-2020-8215 Vulnerability in npm package canvas

CVE-2023-36665 Vulnerability in maven package org.webjars.npm:protobufjs

CVE-2020-8910 Vulnerability in npm package google-closure-library

CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.convertors

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other