All vulnerability reports

Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19

Severity:
Medium (Base score 6.3) CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE entry:
CVE-2021-31411

Overview

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

See CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Description

During the build time of Vaadin application projects, the used frontend resources are extracted from Java artifacts (.jar). In affected Vaadin versions, the resources were temporarily copied to the operating system's default temp-folder, which in *NIX-based systems is by default writeable and could thus allow a malicious program to watch and modify those resources, injecting code that would be executed as a part of the application in the end user's browser.

Leveraging the exploit requires that the application is built on *NIX system.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 14.0.3 - 14.5.2 Upgrade to 14.5.3 or newer 14 version
Vaadin 15 - 18 No longer supported. Upgrade to 19.0.5 or newer version
Vaadin 19.0.0 - 19.0.4 Upgrade to 19.0.5 or newer 19 version

Please note that Vaadin versions 15-18 are no longer supported and you should update to the latest 19 version.

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 2.0.9 - 2.5.2 ≥ 2.5.3
com.vaadin:flow-server 3.0 - 5.0 N/A
com.vaadin:flow-server 6.0.0 - 6.0.5 ≥ 6.0.6

References

History

  • 2021-05-04: Initial vulnerability report published