Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://github.com/vaadin/flow/pull/10640

https://vaadin.com/security/cve-2021-31411

Related Vulnerabilities

CVE-2022-3510 Vulnerability in maven package com.google.protobuf:protobuf-java

CVE-2023-0044 Vulnerability in maven package io.quarkus:quarkus-vertx-http

CVE-2020-13445 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker

CVE-2012-0803 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2023-34465 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authorization-bridge

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other