GHSA-p826-8vhq-h439

Source

https://github.com/advisories/GHSA-p826-8vhq-h439

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-p826-8vhq-h439/GHSA-p826-8vhq-h439.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p826-8vhq-h439

Aliases

CVE-2021-31411

Published

2021-05-06T15:27:12Z

Modified

2023-11-08T04:05:48.589209Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19

Details

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

https://vaadin.com/security/cve-2021-31411

Database specific

{
    "nvd_published_at": "2021-05-05T19:15:00Z",
    "github_reviewed_at": "2021-05-04T17:54:40Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-379"
    ]
}

References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.3

Fixed

14.5.3

Affected versions

14.*

14.0.3

14.0.4

14.0.5

14.0.6

14.0.7

14.0.8

14.0.9

14.0.10

14.0.11

14.0.12

14.0.13

14.0.14

14.0.15

14.1.0

14.1.1

14.1.2

14.1.3

14.1.4

14.1.5

14.1.16

14.1.17

14.1.18

14.1.19

14.1.20

14.1.21

14.1.22

14.1.23

14.1.24

14.1.25

14.1.26

14.1.27

14.1.28

14.2.0

14.2.1

14.2.2

14.2.3

14.3.0

14.3.1

14.3.2

14.3.3

14.3.4

14.3.5

14.3.6

14.3.7

14.3.8

14.3.9

14.4.0

14.4.1

14.4.2

14.4.3

14.4.4

14.4.5

14.4.6

14.4.7

14.4.8

14.4.9

14.4.10

14.5.0

14.5.1

14.5.2

Database specific

{
    "last_known_affected_version_range": "<= 14.5.2"
}

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0

Fixed

19.0.5

Affected versions

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.0.5

15.0.6

16.*

16.0.0

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

17.*

17.0.0

17.0.1

17.0.2

17.0.3

17.0.4

17.0.6

17.0.7

17.0.8

17.0.9

17.0.10

17.0.11

18.*

18.0.0

18.0.1

18.0.2

18.0.3

18.0.4

18.0.5

18.0.6

18.0.7

19.*

19.0.0

19.0.1

19.0.2

19.0.3

19.0.4

Database specific

{
    "last_known_affected_version_range": "<= 19.0.2"
}