CVE & Exploit Intelligence Database

CVE-2024-48915 EPSS 0.00

Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification.

CWE-295 Oct 15, 2024

CVE-2024-29887 7.4 HIGH 1 Writeup EPSS 0.00

Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. Upgrading to version `1.2.6` resolves this issue.

CWE-295 Mar 27, 2024

CVE-2024-29886 5.3 MEDIUM 1 Writeup EPSS 0.00

Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.

CWE-916 Mar 27, 2024

CVE-2023-26154 5.9 MEDIUM 1 Writeup EPSS 0.00

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

CWE-331 Dec 06, 2023

CVE-2023-39139 7.8 HIGH EPSS 0.00

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

CWE-22 Aug 30, 2023

CVE-2023-39137 7.8 HIGH EPSS 0.00

An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

CWE-20 Aug 30, 2023

CVE-2023-22963 5.3 MEDIUM EPSS 0.00

The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.

CWE-20 Jan 11, 2023

CVE-2021-31402 7.5 HIGH EPSS 0.00

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

CWE-74 Apr 15, 2021

CVE-2020-35669 6.1 MEDIUM 1 PoC Analysis EPSS 0.25

An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.

CWE-74 Dec 24, 2020