CVE-2021-31411

EPSS 0.05%
Veröffentlicht 05.05.2021 19:15:08
Zuletzt bearbeitet 21.11.2024 06:05:36
Quelle security@vaadin.com
CVE-Watchlists
Login
Unerledigt
Login

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vaadin ≫ Flow Version >= 2.0.9 < 2.5.3

Vaadin ≫ Flow Version >= 3.0.0 <= 5.0.0

Vaadin ≫ Flow Version >= 6.0.0 <= 6.0.6

Vaadin ≫ Vaadin Version >= 14.0.3 < 14.5.3

Vaadin ≫ Vaadin Version >= 15.0.0 < 19.0.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.12

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
security@vaadin.com	6.3	1	5.2	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-379 Creation of Temporary File in Directory with Insecure Permissions

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

https://github.com/vaadin/flow/pull/10640

Patch

Third Party Advisory

https://vaadin.com/security/cve-2021-31411

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-31411

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-31411

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-31411

EUVD