Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Remediation
References
https://github.com/vaadin/flow/pull/10640
https://vaadin.com/security/cve-2021-31411
Related Vulnerabilities
CVE-2022-3224 Vulnerability in maven package org.webjars.npm:parse-url
CVE-2022-41927 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui
CVE-2020-13959 Vulnerability in maven package org.apache.velocity.tools:velocity-tools-view
CVE-2021-46708 Vulnerability in maven package org.webjars.bower:swagger-ui