Description

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Remediation

References

https://github.com/vaadin/flow/pull/10640

https://vaadin.com/security/cve-2021-31411

Related Vulnerabilities

CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j

CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-controller

CVE-2022-35915 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable

CVE-2022-24718 Vulnerability in npm package @finastra/ssr-pages

CVE-2023-30541 Vulnerability in npm package @openzeppelin/contracts

Severity

High

Classification

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other