Vulnerability Details : CVE-2021-22568
When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0
Products affected by CVE-2021-22568
- cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22568
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22568
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L |
2.8
|
5.3
|
Google Inc. | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L |
2.8
|
5.3
|
NIST |
CWE ids for CVE-2021-22568
-
Assigned by: cve-coordination@google.com (Secondary)
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-22568
-
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7
Publishing to third-party package repositories may expose pub.dev credentials · Advisory · dart-lang/sdk · GitHubIssue Tracking
-
https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md
sdk/CHANGELOG.md at main · dart-lang/sdk · GitHubPatch;Third Party Advisory
-
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8
Bump pub · dart-lang/sdk@d787e78 · GitHubPatch;Third Party Advisory
Jump to