PT-2021-19293 · Vaadin · Com.Vaadin:Flow-Server

Published

2021-05-05

Updated

2021-05-18

CVE-2021-31411

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-server versions 2.0.9 through 2.5.2 com.vaadin:flow-server versions 3.0 prior to 6.0 com.vaadin:flow-server versions 6.0.0 through 6.0.5

Description Insecure temporary directory usage in frontend build functionality allows local users to inject malicious code into frontend resources during application rebuilds.

Recommendations For com.vaadin:flow-server versions 2.0.9 through 2.5.2, update to a version outside of this range to mitigate the risk. For com.vaadin:flow-server versions 3.0 prior to 6.0, update to version 6.0 or later to resolve the issue. For com.vaadin:flow-server versions 6.0.0 through 6.0.5, update to a version later than 6.0.5 to fix the vulnerability.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-379

Related Identifiers

CVE-2021-31411

GHSA-P826-8VHQ-H439

Affected Products

Com.Vaadin:Flow-Server

PT-2021-19293 · Vaadin · Com.Vaadin:Flow-Server

CVE-2021-31411

Weakness Enumeration

Related Identifiers

Affected Products

References · 8