Homepage
About Snyk

Improper Certificate Validation Affecting agent_dart package, versions <1.0.0-dev.29

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PUB-AGENTDART-8220288
  • published 16 Oct 2024
  • disclosed 15 Oct 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 15 Oct 2024

CVE-2024-48915 Open this link in a new tab
CWE-295 Open this link in a new tab

How to fix?

Upgrade agent_dart to version 1.0.0-dev.29 or higher.

Overview

agent_dart is an agent library built for Internet Computer, a plugin package for dart and flutter apps. Developers can build ones to interact with Dfinity's blockchain directly.

Affected versions of this package are vulnerable to Improper Certificate Validation due to improper handling in the _checkDelegation function. An attacker can impersonate a subnet and sign canister responses on behalf of another subnet by exploiting unchecked canister_ranges. Additionally, the lack of verification for the certificate's timestamp allows the certificate to effectively have no expiration time.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    High
  • Availability (VA)
    None
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None