plus_plugins icon indicating copy to clipboard operation
plus_plugins copied to clipboard
verified publisher icon fluttercommunity

[Vulnerability]: Security scanner found vulnerability in device info plus plugin

Open immankumarsync opened this issue 1 year ago • 1 comments

Platform

Android

Plugin

device_info_plus

Version

10.1.0

Flutter SDK

3.220

Steps to reproduce

Scan the repo using snyk

Vulnerability report for the 'packages/device_info_plus/device_info_plus/android/build.gradle' file.

https://www.cve.org/CVERecord?id=CVE-2020-29582

image

Code Sample

No response

Logs

NA

Flutter Doctor

[√] Flutter (Channel stable, 3.22.0, on Microsoft Windows [Version 10.0.22621.3593], locale en-US)
    • Flutter version 3.22.0 on channel stable at C:\sdk\flutter
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 5dcb86f68f (7 days ago), 2024-05-09 07:39:20 -0500
    • Engine revision f6344b75dc
    • Dart version 3.4.0
    • DevTools version 2.34.3

[√] Windows Version (Installed version of Windows is version 10 or higher)

[√] Android toolchain - develop for Android devices (Android SDK version 34.0.0)
    • Android SDK at C:\sdk\android-sdk
    • Platform android-34, build-tools 34.0.0
    • ANDROID_HOME = C:\sdk\android-sdk
    • Java binary at: C:\Program Files\Android\Android Studio\jbr\bin\java
    • Java version OpenJDK Runtime Environment (build 17.0.10+0--11572160)
    • All Android licenses accepted.

[√] Chrome - develop for the web
    • Chrome at C:\Program Files\Google\Chrome\Application\chrome.exe

[√] Visual Studio - develop Windows apps (Visual Studio Professional 2022 17.9.6)
    • Visual Studio at C:\Program Files\Microsoft Visual Studio\2022\Professional
    • Visual Studio Professional 2022 version 17.9.34728.123
    • Windows 10 SDK version 10.0.22621.0

[√] Android Studio (version 2023.3)
    • Android Studio at C:\Program Files\Android\Android Studio
    • Flutter plugin can be installed from:
       https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
       https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0--11572160)

[√] VS Code (version 1.89.1)
    • VS Code at C:\Users\[Username]\AppData\Local\Programs\Microsoft VS Code
    • Flutter extension version 3.88.0

[√] Connected device (3 available)
    • Windows (desktop) • windows • windows-x64    • Microsoft Windows [Version 10.0.22621.3593]
    • Chrome (web)      • chrome  • web-javascript • Google Chrome 124.0.6367.207
    • Edge (web)        • edge    • web-javascript • Microsoft Edge 124.0.2478.97

[√] Network resources
    • All expected network resources are available.

• No issues found!

Checklist before submitting a bug

  • [X] I searched issues in this repository and couldn't find such bug/problem
  • [X] I Google'd a solution and I couldn't find it
  • [X] I searched on StackOverflow for a solution and I couldn't find it
  • [X] I read the README.md file of the plugin
  • [X] I'm using the latest version of the plugin
  • [X] All dependencies are up to date with flutter pub upgrade
  • [X] I did a flutter clean
  • [X] I tried running the example project

immankumarsync avatar May 16 '24 10:05 immankumarsync

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

But device_info_plus uses 1.7.22, and doesn't call to any of those two methods.

miquelbeltran avatar May 17 '24 10:05 miquelbeltran

Closing as there is already an explanation why this one is invalid

vbuberen avatar Jun 05 '24 08:06 vbuberen