GHSA-c57f-4vp2-jqhm – com.vaadin:flow-server

Package

Manager: maven
Name: com.vaadin:flow-server
Vulnerable Version: >=2.0.9 <2.5.3 || >=3.0.0 <6.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 Insecure temporary directory usage in frontend build functionality of `com.vaadin:flow-server` versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds. - https://vaadin.com/security/cve-2021-31411

Metadata

Created: 2021-05-06T15:27:04Z
Modified: 2021-10-05T16:29:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c57f-4vp2-jqhm/GHSA-c57f-4vp2-jqhm.json
CWE IDs: ["CWE-379"]
Alternative ID: N/A
Finding: F028
Auto approve: 1