Vulnerability Description
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vaadin | Flow | >= 2.0.9, < 2.5.3 |
| Vaadin | Vaadin | >= 14.0.3, < 14.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/vaadin/flow/pull/10640PatchThird Party Advisory
- https://vaadin.com/security/cve-2021-31411Vendor Advisory
- https://github.com/vaadin/flow/pull/10640PatchThird Party Advisory
- https://vaadin.com/security/cve-2021-31411Vendor Advisory
FAQ
What is CVE-2021-31411?
CVE-2021-31411 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19...
How severe is CVE-2021-31411?
CVE-2021-31411 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31411?
Check the references section above for vendor advisories and patch information. Affected products include: Vaadin Flow, Vaadin Vaadin.