GHSA-3hpf-ff72-j67p

Details

Impact

Due to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.

As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.

Patches

2.3.4

Workarounds

Update to the latest version of shared_preferences_android that contains the changes to address this vulnerability.

References

TBD

For more information

See our community page to find ways to contact the team.

Thanks

Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!

Affected Packages

Pubshared_preferences_android

Affected versions:

2.3.3

Fixed in:

2.3.4

References

ADVISORYhttps://github.com/advisories/GHSA-3hpf-ff72-j67p PACKAGEhttps://github.com/flutter/packages WEBhttps://github.com/flutter/packages/commit/15501ece235684a3bdddad089345fc3e33dc1df3 WEBhttps://github.com/flutter/packages/security/advisories/GHSA-3hpf-ff72-j67p

GHSA-3hpf-ff72-j67p

Details

Impact

Patches

Workarounds

References

For more information

Thanks

Affected Packages

References

CVSS Analysis

Ecosystems

Timeline