CVE-2021-22568

Dart - Publishing to third-party package repositories may expose pub.dev credentials

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

Cuando es usado el comando dart pub publish para publicar un paquete en un servidor de paquetes de terceros, la petición se autentifica con un access_token oauth2 válido para publicar en pub.dev. Usando estas credenciales obtenidas, un atacante puede suplantar al usuario en pub.dev. Se recomienda actualizar a partir de https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 o de la versión 2.15

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-05 CVE Reserved
2021-12-09 CVE Published
2024-08-03 CVE Updated
2024-08-24 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (3)

URL	Tag	Source
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md	2021-12-14
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8	2021-12-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dart Search vendor "Dart"		Dart Software Development Kit Search vendor "Dart" for product "Dart Software Development Kit"				< 2.15.0 Search vendor "Dart" for product "Dart Software Development Kit" and version " < 2.15.0"		-		Affected