Vulnerability Description
When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dart | Dart Software Development Kit | < 2.15.0 |
Related Weaknesses (CWE)
References
- https://github.com/dart-lang/sdk/blob/main/CHANGELOG.mdPatchThird Party Advisory
- https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8PatchThird Party Advisory
- https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7Issue Tracking
- https://github.com/dart-lang/sdk/blob/main/CHANGELOG.mdPatchThird Party Advisory
- https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8PatchThird Party Advisory
- https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7Issue Tracking
FAQ
What is CVE-2021-22568?
CVE-2021-22568 is a vulnerability with a CVSS score of 8.8 (HIGH). When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Us...
How severe is CVE-2021-22568?
CVE-2021-22568 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22568?
Check the references section above for vendor advisories and patch information. Affected products include: Dart Dart Software Development Kit.