{"advisories":[{"schema_version":"1.6.0","id":"GHSA-3hpf-ff72-j67p","modified":"2024-12-06T21:24:30Z","published":"2024-12-06T21:24:30Z","aliases":[],"summary":"shared_preferences_android vulnerability","details":"### Impact\nDue to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.\n\nAs a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.\n\n### Patches\n2.3.4\n\n### Workarounds\nUpdate to the latest version of shared_preferences_android that contains the changes to address this vulnerability.\n\n### References\nTBD\n\n### For more information\nSee [our community page](https://dart.dev/community) to find ways to contact the team.\n\n### Thanks\nThank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L"}],"affected":[{"package":{"ecosystem":"Pub","name":"shared_preferences_android","purl":"pkg:pub/shared_preferences_android"},"ranges":[{"type":"ECOSYSTEM","repo":null,"events":[{"introduced":"2.3.3","fixed":null,"last_affected":null,"limit":null},{"introduced":null,"fixed":"2.3.4","last_affected":null,"limit":null}],"database_specific":null}],"versions":["2.3.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-3hpf-ff72-j67p/GHSA-3hpf-ff72-j67p.json"},"ecosystem_specific":null}],"references":[{"type":"WEB","url":"https://github.com/flutter/packages/security/advisories/GHSA-3hpf-ff72-j67p"},{"type":"WEB","url":"https://github.com/flutter/packages/commit/15501ece235684a3bdddad089345fc3e33dc1df3"},{"type":"PACKAGE","url":"https://github.com/flutter/packages"}],"database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-502"],"severity":"LOW","github_reviewed":true,"github_reviewed_at":"2024-12-06T21:24:30Z","pub_display_url":"https://github.com/advisories/GHSA-3hpf-ff72-j67p"}}],"advisoriesUpdated":"2024-12-07T03:41:02.359282Z"}