Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Package
Affected versions
>= 2.0.9, <= 2.5.2
>= 3.0.0, <= 6.0.5
Patched versions
2.5.3
6.0.6
Description
Reviewed
May 4, 2021
Published to the GitHub Advisory Database
May 6, 2021
Last updated
Jan 9, 2023
Insecure temporary directory usage in frontend build functionality of
com.vaadin:flow-server
versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.References