CVE-2021-22568

Name of the Vulnerable Software and Affected Versions Dart SDK versions prior to 2.15.0

Description The issue arises when using the dart pub publish command to publish a package to a third-party package server. The request is authenticated with an oauth2 access token that is valid for publishing on pub.dev. An attacker can use these obtained credentials to impersonate the user on pub.dev.

Recommendations For versions prior to 2.15.0, upgrade past the commit https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or to version 2.15.0 or beyond to resolve the issue. As a temporary workaround, consider restricting the use of the dart pub publish command to trusted package servers until the upgrade is applied.