Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server
versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.
See CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Description
During the build time of Vaadin application projects, the used frontend resources are extracted from Java artifacts (.jar
). In affected Vaadin versions, the resources were temporarily copied to the operating system's default temp-folder, which in *NIX-based systems is by default writeable and could thus allow a malicious program to watch and modify those resources, injecting code that would be executed as a part of the application in the end user's browser.
Leveraging the exploit requires that the application is built on *NIX system.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version |
Mitigation |
Vaadin 14.0.3 - 14.5.2 |
Upgrade to 14.5.3 or newer 14 version |
Vaadin 15 - 18 |
No longer supported. Upgrade to 19.0.5 or newer version |
Vaadin 19.0.0 - 19.0.4 |
Upgrade to 19.0.5 or newer 19 version |
Please note that Vaadin versions 15-18 are no longer supported and you should update to the latest 19 version.
Artifacts
Maven coordinates |
Vulnerable version |
Fixed version |
com.vaadin:flow-server |
2.0.9 - 2.5.2 |
≥ 2.5.3 |
com.vaadin:flow-server |
3.0 - 5.0 |
N/A |
com.vaadin:flow-server |
6.0.0 - 6.0.5 |
≥ 6.0.6 |
References