CVE-2021-31411 — Insecure temporary directory usage in frontend build functionality of Vaadin 14

Description

Insecure temporary directory usage in frontend build functionality of `com.vaadin:flow-server` versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds. - https://vaadin.com/security/cve-2021-31411

How to fix CVE-2021-31411

To remediate CVE-2021-31411, upgrade the affected package to a fixed version below.

—upgrade to 14.5.3 or later

Is CVE-2021-31411 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 14.0.3, < 14.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-31411
WEBgithub.com/vaadin/flow/pull/10640
WEBgithub.com/vaadin/platform/security/advisories/GHSA-p826-8vhq-h439
WEBvaadin.com/security/cve-2021-31411