GHSA-9324-jv53-9cc8

Suggest an improvement
Source
https://github.com/advisories/GHSA-9324-jv53-9cc8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-9324-jv53-9cc8/GHSA-9324-jv53-9cc8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9324-jv53-9cc8
Aliases
Published
2023-03-21T22:41:11Z
Modified
2024-02-16T08:19:11.352648Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
dio vulnerable to CRLF injection with HTTP method string
Details

Impact

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

Patches

The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.

Workarounds

Cherry-pick the commit to your own fork can resolves the vulberability too.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2021-31402
  • https://osv.dev/GHSA-jwpw-q68h-r678
  • https://github.com/cfug/dio/issues/1130
  • https://github.com/cfug/dio/issues/1752
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-93"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:41:11Z"
}
References

Affected packages

Pub / dio

Package

Name
dio
Purl
pkg:pub/dio

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.2.0
2.2.1
2.2.2

3.*

3.0.0-dev.1
3.0.0
3.0.1
3.0.2-dev.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8-dev.1
3.0.8
3.0.9
3.0.10

4.*

4.0.0-beta1
4.0.0-beta2
4.0.0-beta3
4.0.0-beta4
4.0.0-beta5
4.0.0-beta6
4.0.0-beta7
4.0.0-prev1
4.0.0-prev2
4.0.0-prev3
4.0.0
4.0.1
4.0.2-beta1
4.0.2
4.0.3
4.0.4
4.0.5-beta1
4.0.5
4.0.6