CVE-2021-22568

Опубликовано: 09 дек. 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6

EPSS Низкий

Описание

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

Ссылки

https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md
Patch
Third Party Advisory
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8
Patch
Third Party Advisory
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7
Issue Tracking
https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md
Patch
Third Party Advisory
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8
Patch
Third Party Advisory
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7
Issue Tracking

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*

Версия до 2.15.0 (исключая)

EPSS

Процентиль: 63%

0.0044

Низкий

8.8 High

CVSS3

6 Medium

CVSS2

Дефекты

CWE-255

CWE-668