CVE-2021-31402

High

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than…

mitre·CWE-74·Published 2021-04-15

CVSS

7.5

EPSS

0.01

KEV

Exploits

cve.orgen

148 chars

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

NVDen

148 chars

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

### Impact The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. ### Patches The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0. ### Workarounds Cherry-pick the commit to your own fork can resolves the vulberability too. ### References - https://nvd.nist.gov/vuln/detail/CVE-2021-31402 - https://osv.dev/GHSA-jwpw-q68h-r678 - https://github.com/cfug/dio/issues/1130 - https://github.com/cfug/dio/issues/1752

GHSAen

596 chars

NVDes

164 chars

El paquete dio versión 4.0.0 para Dart, permite una inyección CRLF si el atacante controla la cadena del método HTTP, una vulnerabilidad diferente de CVE-2020-35669

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
3.1	Primary	NVD	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N