Skip to content

Publishing to third-party package repositories may expose pub.dev credentials

Moderate
mit-mit published GHSA-r32f-vhjp-qhj7 Dec 8, 2021

Package

No package listed

Affected versions

<2.15.0

Patched versions

2.15.0

Description

Impact

A malicious third-party package repository may impersonate a user on pub.dev for up to one hour after the user has published a package to that third-party package repository using dart pub publish.

When publishing Dart packages to third-party package repositories using dart pub publish, Dart SDKs prior to 2.15.0 will authorize the request using an OAuth2 access_token intended for authentication with pub.dev. Thus, a malicious third-party package repository could use this access_token to impersonate the user on pub.dev. The access_token is usually only valid for up to one hour, but an attacker could persist access by using the access_token to obtain uploader permissions.

This only affects users who publish packages to a third-party package repository by:

  1. Specifying publish_to: https://my-pub-server.com/ in pubspec.yaml and publishing using dart pub publish;
  2. Defining environment variable PUB_HOSTED_URL=https://my-pub-server.com/ and publishing using dart pub publish; or;
  3. Publishing using dart pub publish --server https://my-pub-server.com/.

Patches

This is fixed as of Dart SDK version 2.15.0.

As of Dart SDK version 2.15.0 requests to third-party package repositories will no longer include an OAuth2 access_token intended for pub.dev. Requests to third-party package repositories can be authenticated using opaque tokens passed to the Dart SDK using dart pub token add https://my-pub-server.com.

Workarounds

Avoid publishing to untrusted third-party package repositories with dart pub publish using a Dart SDK prior to 2.15.0.

Mitigations

If you've published a package to a third-party package repository, consider doing an audit of all your account activity on the pub.dev public package repository. You can use the pub.dev activity log for this.

References

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVE ID

CVE-2021-22568

Weaknesses

No CWEs