GitHub Advisory DatabaseGHSA-6XHG-Q9C8-RJ32Credential leak in react-native-fast-image
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
47.8%
This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| react-native-fast-image_project | react-native-fast-image | * | cpe:2.3:a:react-native-fast-image_project:react-native-fast-image:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-6xhg-q9c8-rj32
github.com/DylanVann/react-native-fast-image/commit/4a7cd64f5b0aa40b04d63ccb105ee2b511abe624
github.com/DylanVann/react-native-fast-image/issues/690
github.com/DylanVann/react-native-fast-image/pull/691
nvd.nist.gov/vuln/detail/CVE-2020-7696
snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
47.8%