Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
Remediation
References
https://github.com/vaadin/flow/pull/10640
https://vaadin.com/security/cve-2021-31411
Related Vulnerabilities
CVE-2022-2218 Vulnerability in maven package org.webjars.npm:parse-url
CVE-2022-0436 Vulnerability in maven package org.webjars.npm:grunt
CVE-2021-21423 Vulnerability in npm package projen
CVE-2021-25930 Vulnerability in maven package org.opennms:opennms-webapp
CVE-2020-10969 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind