Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Remediation
References
https://github.com/vaadin/flow/pull/10640
https://vaadin.com/security/cve-2021-31411
Related Vulnerabilities
CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j
CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-controller
CVE-2022-35915 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable
CVE-2022-24718 Vulnerability in npm package @finastra/ssr-pages
CVE-2023-30541 Vulnerability in npm package @openzeppelin/contracts