VYPR
Unrated severityNVD Advisory· Published Dec 9, 2021· Updated Aug 3, 2024

Dart - Publishing to third-party package repositories may expose pub.dev credentials

CVE-2021-22568

Description

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Dart/SDKllm-fuzzy
    Range: <2.15.0
  • Google LLC/Dart SDKv5
    Range: unspecified

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.