CVE-2021-31411

Source
https://cve.org/CVERecord?id=CVE-2021-31411
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31411.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-31411
Aliases
Published
2021-05-05T19:15:08.777Z
Modified
2026-04-11T17:12:28.374282Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

References

Affected packages

Git / github.com/vaadin/flow

Affected ranges

Type
GIT
Repo
https://github.com/vaadin/flow
Events
Database specific
{
    "versions": [
        {
            "introduced": "2.0.9"
        },
        {
            "fixed": "2.5.3"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "last_affected": "5.0.0"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "last_affected": "6.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/vaadin/vaadin
Events
Database specific
{
    "versions": [
        {
            "introduced": "14.0.3"
        },
        {
            "fixed": "14.5.3"
        },
        {
            "introduced": "15.0.0"
        },
        {
            "fixed": "19.0.5"
        }
    ]
}

Affected versions

6.*
6.0.0
6.0.0.rc1
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6

Database specific

vanir_signatures
[
    {
        "id": "CVE-2021-31411-5f3d7805",
        "target": {
            "file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/JarContentsManager.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/vaadin/flow/commit/995027d29ee538e7f707b2454686be75f02977ef",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "274118860405830707737187343030887766150",
                "327559721548196134147450388879998528952",
                "231391270674709341178973814261592708464",
                "211979396369304634247134746982955007251",
                "32900508480395475606250217170485575868",
                "80791419901938608036810617882838820733",
                "6026733202762934250207559657693826010",
                "17187701696772157707955369838765636321",
                "14585976683169020273786467247984779635",
                "136419670407895535633809878805326991124",
                "60136359027831226858976120404744046768",
                "171023654744543184735012727835208935228",
                "48270102157939833231118982497687312218",
                "175188813783905405808930999300082626303",
                "220604571186367106147995826939082644094",
                "15956785489358244696973139203321284713",
                "133908307871722389377786052986188030614",
                "172201478849480036233153468210094773069",
                "16731467310513679515719110523690099220",
                "325339830852643423504391538910603562036",
                "220115242206324016293745746735881530016",
                "139147795175099503122261681307185114248",
                "126281408131594152747505327874700784215"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2021-31411-e6b195bb",
        "target": {
            "function": "copyJarEntryTrimmingBasePath",
            "file": "flow-server/src/main/java/com/vaadin/flow/server/frontend/JarContentsManager.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/vaadin/flow/commit/995027d29ee538e7f707b2454686be75f02977ef",
        "signature_type": "Function",
        "digest": {
            "function_hash": "241441924087109472839976369467669757191",
            "length": 802.0
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31411.json"
vanir_signatures_modified
"2026-04-11T17:12:28Z"