Vulnerabilities > CVE-2021-22568 - Exposure of Resource to Wrong Sphere vulnerability in Dart Software Development KIT

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
HIGH
Availability impact
LOW
network
low complexity
dart
CWE-668
NVD
Published: 2021-12-09
Updated: 2021-12-14

Summary

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

Vulnerable Configurations

Part Description Count
Application
Dart
968

Common Weakness Enumeration (CWE)

References