// For flags

CVE-2022-0451

Auth bypass in Dark SDK

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.

Dart SDK contiene la biblioteca HTTPClient en dart:io que incluye encabezados de autorización cuando maneja redireccionamientos de origen cruzado. Estos encabezados pueden ser establecidas explícitamente y contienen información confidencial. Por fallo, HttpClient maneja la lógica de redirección. Si es enviado una petición a example.com con un encabezado de autorización y es redirigido a un sitio de atacantes, éstos podrían no esperar que el sitio del atacante reciba el encabezado de autorización. Recomendamos actualizar Dart SDK a versión 2.16.0 o superior

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-01 CVE Reserved
  • 2022-02-18 CVE Published
  • 2023-08-01 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-305: Authentication Bypass by Primary Weakness
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dart
Search vendor "Dart"
 Dart Software Development Kit
Search vendor "Dart" for product "Dart Software Development Kit"
 < 2.16.0
Search vendor "Dart" for product "Dart Software Development Kit" and version " < 2.16.0"
-
Affected