Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWM1N2YtNHZwMi1qcWht

Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

https://vaadin.com/security/cve-2021-31411

Permalink: https://github.com/advisories/GHSA-c57f-4vp2-jqhm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWM1N2YtNHZwMi1qcWht
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-c57f-4vp2-jqhm
References:

Repository: https://github.com/vaadin/flow
Blast Radius: 13.3

Affected Packages

maven:com.vaadin:flow-server

Dependent packages: 91
Dependent repositories: 128
Downloads:
Affected Version Ranges: >= 3.0.0, <= 6.0.5, >= 2.0.9, <= 2.5.2
Fixed in: 6.0.6, 2.5.3
All affected versions: 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 2.7.19, 2.7.20, 2.7.21, 2.7.22, 2.7.23, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 9.0.22, 9.0.23, 9.0.24, 9.0.25, 9.0.26, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 23.0.8, 23.0.9, 23.0.10, 23.0.11, 23.0.12, 23.0.13, 23.0.14, 23.1.0, 23.1.1, 23.1.2, 23.1.3, 23.1.4, 23.1.5, 23.1.6, 23.1.7, 23.1.8, 23.1.9, 23.1.10, 23.1.11, 23.1.12, 23.2.0, 23.2.1, 23.2.2, 23.2.3, 23.2.4, 23.2.5, 23.2.6, 23.2.7, 23.2.8, 23.2.9, 23.2.10, 23.2.11, 23.3.0, 23.3.1, 23.3.2, 23.3.3, 23.3.4, 23.3.5, 23.3.6, 23.3.7, 23.3.8, 23.3.9, 23.3.10, 23.3.11, 23.3.12, 23.3.13, 23.3.14, 23.3.15, 23.3.16, 23.3.17, 23.3.18, 23.3.19, 23.3.20, 23.3.21, 23.3.22, 23.3.23, 23.3.24, 23.3.25, 23.3.26, 23.3.27, 23.3.28, 23.3.29, 23.4.0, 23.5.0, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.0.4, 24.0.5, 24.0.6, 24.0.7, 24.0.8, 24.0.9, 24.0.10, 24.0.11, 24.0.12, 24.0.13, 24.0.14, 24.0.15, 24.0.16, 24.1.0, 24.1.1, 24.1.2, 24.1.3, 24.1.4, 24.1.5, 24.1.6, 24.1.7, 24.1.8, 24.1.9, 24.1.10, 24.1.11, 24.1.12, 24.1.13, 24.1.14, 24.1.15, 24.1.16, 24.1.17, 24.1.18, 24.1.19, 24.1.20, 24.1.21, 24.2.0, 24.2.1, 24.2.2, 24.2.3, 24.2.4, 24.2.5, 24.2.6, 24.2.7, 24.2.8, 24.2.9, 24.2.10, 24.2.11, 24.2.12, 24.3.0, 24.3.1, 24.3.2, 24.3.3, 24.3.4, 24.3.5, 24.3.6, 24.3.7, 24.3.8