GoogleOSV:GHSA-9324-JV53-9CC8dio vulnerable to CRLF injection with HTTP method string
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.8%
Impact
The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.
Patches
The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.
Workarounds
Cherry-pick the commit to your own fork can resolves the vulberability too.
References
References
github.com/cfug/dio
github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984
github.com/cfug/dio/issues/1752
github.com/cfug/dio/security/advisories/GHSA-9324-jv53-9cc8
github.com/flutterchina/dio/issues/1130
nvd.nist.gov/vuln/detail/CVE-2021-31402
osv.dev/GHSA-jwpw-q68h-r678
security.snyk.io/vuln/SNYK-PUB-DIO-5891148
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.8%