CVE Vulnerability

CVE-2021-22568

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md Patch Third Party Advisory
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7 Issue Tracking
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
Information

Published : 2021-12-09 05:15

Updated : 2021-12-14 07:55

NVD link : CVE-2021-22568

Mitre link : CVE-2021-22568

Products Affected
No products.
CWE
CWE-668