Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://github.com/vaadin/flow/pull/10640

https://vaadin.com/security/cve-2021-31411

Related Vulnerabilities

CVE-2023-40027 Vulnerability in npm package @keystone-6/core

CVE-2021-43138 Vulnerability in maven package org.webjars.bowergithub.caolan:async

CVE-2022-0748 Vulnerability in npm package post-loader

CVE-2021-46062 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2022-41927 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other