CVE-2021-22568 - OpenCVE

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dart	Dart Software Development Kit

Configuration 1 [-]

cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md
https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8
https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2021-12-09T17:05:12

Updated: 2024-08-03T18:44:14.137Z

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22568

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-09T17:15:07.567

Modified: 2021-12-14T19:55:06.147

Link: CVE-2021-22568

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Dart SDK", "vendor": "Google LLC", "versions": [{"lessThan": "2.15.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-255", "description": "CWE-255 Credentials Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-09T17:05:12", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7"}], "source": {"discovery": "UNKNOWN"}, "title": "Dart - Publishing to third-party package repositories may expose pub.dev credentials", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2021-22568", "STATE": "PUBLIC", "TITLE": "Dart - Publishing to third-party package repositories may expose pub.dev credentials"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Dart SDK", "version": {"version_data": [{"version_affected": "<", "version_value": "2.15.0"}]}}]}, "vendor_name": "Google LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-255 Credentials Management"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8", "refsource": "MISC", "url": "https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8"}, {"name": "https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md", "refsource": "MISC", "url": "https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md"}, {"name": "https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7", "refsource": "MISC", "url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:14.137Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2021-22568", "datePublished": "2021-12-09T17:05:12", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2024-08-03T18:44:14.137Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "F12093A9-8594-4A7E-853E-2D4C28977D25", "versionEndExcluding": "2.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0"}, {"lang": "es", "value": "Cuando es usado el comando dart pub publish para publicar un paquete en un servidor de paquetes de terceros, la petici\u00f3n se autentifica con un access_token oauth2 v\u00e1lido para publicar en pub.dev. Usando estas credenciales obtenidas, un atacante puede suplantar al usuario en pub.dev. Se recomienda actualizar a partir de https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 o de la versi\u00f3n 2.15"}], "id": "CVE-2021-22568", "lastModified": "2021-12-14T19:55:06.147", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2021-12-09T17:15:07.567", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8"}, {"source": "cve-coordination@google.com", "tags": ["Issue Tracking"], "url": "https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-255"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}