GHSA-3hpf-ff72-j67p – shared_preferences_android

Package

Manager: pub
Name: shared_preferences_android
Vulnerable Version: =2.3.3 || >=2.3.3 <2.3.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

EPSS: N/A pctlN/A

Details

shared_preferences_android vulnerability ### Impact Due to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution. As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk. ### Patches 2.3.4 ### Workarounds Update to the latest version of shared_preferences_android that contains the changes to address this vulnerability. ### References TBD ### For more information See [our community page](https://dart.dev/community) to find ways to contact the team. ### Thanks Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!

Metadata

Created: 2024-12-06T21:24:30Z
Modified: 2024-12-06T21:24:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-3hpf-ff72-j67p/GHSA-3hpf-ff72-j67p.json
CWE IDs: ["CWE-502"]
Alternative ID: N/A
Finding: F096
Auto approve: 1