astarub / campus_app

Campus App of Ruhr-University Bochum

https://app.asta-bochum.de

GNU Affero General Public License v3.0

13 stars 4 forks source link

GHSA-9324-jv53-9cc8 #124

Closed MixColumns closed 11 months ago

MixColumns commented 11 months ago

As far as i can tell the app currently uses the vulnurable dependency dio:

https://osv.dev/vulnerability/GHSA-9324-jv53-9cc8 CVSS 7.5

"The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669."

henry-herrmann commented 11 months ago

114 will fix this.

domai-tb commented 11 months ago

See discussion at #120