[Security] Bump vaadin.version from 14.0.11 to 20.0.5

[dependabot-preview]

Bumps vaadin.version from 14.0.11 to 20.0.5.
Updates vaadin-bom from 14.0.11 to 20.0.5 This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

• https://vaadin.com/security/cve-2021-33604

Affected versions: >= 14.0.0, <= 14.6.1

Sourced from The GitHub Security Advisory Database.

Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

• https://vaadin.com/security/cve-2021-31411

Affected versions: >= 14.0.3, <= 14.5.2

Sourced from The GitHub Security Advisory Database.

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19 Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

• https://vaadin.com/security/cve-2021-31407

Affected versions: >= 12.0.0, < 14.4.10

Sourced from The GitHub Security Advisory Database.

Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

• https://vaadin.com/security/cve-2021-31405

Affected versions: >= 14.0.6, < 14.4.4

Sourced from The GitHub Security Advisory Database.

Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 through 13), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 through 17), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.

• https://vaadin.com/security/cve-2021-31404

Affected versions: >= 11.0.0, < 14.4.7

Sourced from The GitHub Security Advisory Database.

Directory traversal in development mode handler in Vaadin 14 and 15-17 Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 through 17) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

• https://vaadin.com/security/cve-2020-36321

Affected versions: >= 14.0.0, < 14.4.3

Updates vaadin-maven-plugin from 14.0.11 to 20.0.5

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)