React Native代码问题漏洞

React Native is an open source JavaScript framework. It is used to build user interfaces and native applications. A code issue vulnerability exists in react-native version 0.59.0, which stems from a regular expression in the validateBaseUrl function that could cause an application to use too many...

PT-2021-10305 · Facebook · React Native

Name of the Vulnerable Software and Affected Versions: react-native versions 0.59.0 through 0.64.1 Description: A regular expression denial of service ReDoS vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash...

CVE-2021-29492

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A...

CVE-2021-29492

Envoy versions up to 1.18.2 contain a URL-path decoding flaw: escaped slashes (%2F, %5C) are not decoded, allowing an attacker to craft paths like /something%2F..%2Fadmin to bypass access controls and escalate privileges when RBAC/JWT filters enforce path-based policies. This can let a backend se...

Apple macOS 资源管理错误漏洞

Apple macOS is a proprietary operating system developed by Apple Inc. for Mac computers. A resource management error vulnerability exists in the Heimdal component of Apple MacOS. The vulnerability stems from a use-after-the-fact error in Heimdal, where a malicious application could trigger a...

Apple macOS 权限许可和访问控制问题漏洞

Apple macOS is a suite of specialized operating systems developed by Apple Inc. for Mac computers. A privilege-granting and access-control issue vulnerability exists in the dock component of Apple macOS. The vulnerability stems from an application not properly applying security restrictions to th...

Apple iPadOS 访问控制错误漏洞

Apple iPadOS is an operating system from Apple Inc. for the iPad tablet computer. Apple iPadOS suffers from an Access Control Error vulnerability that stems from improper access restrictions in the kernel subsystem. A native application can bypass implemented security restrictions and expose...

Apple iPadOS 竞争条件问题漏洞

Apple iPadOS is an operating system from Apple Inc. for the iPad tablet computer. Apple iPadOS suffers from a Competitive Condition Issue vulnerability that stems from a competitive condition in AVEVideoEncoder. A native application can exploit the competition to gain unauthorized access to...

Apple tvOS 权限许可和访问控制问题漏洞

Apple tvOS is an operating system for Smart TVs from Apple. A vulnerability exists in Apple tvOS due to a permissions licensing and access control issue, which arises from an application not properly imposing security restrictions in the "crash report" component. The vulnerability allows native...

Apple macOS Big Sur 安全漏洞

Apple macOS Big Sur is a mobile application app from Apple USA. A security vulnerability exists in macOS Big Sur, which originates from allowing a native application to overwrite arbitrary files. Affected Versions:macOS: 11.0 20A2411, 11.0.1 20B29, 11.0.1 20B50, 11.1 20C69, 11.2 20D64, 11.2.1...

Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor

Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery CSRF. By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticat...

GHSA-RFFR-C932-CPXV Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor

Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery CSRF. By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticat...

GHSA-W4X5-JQQ4-QC8X SQL Injection in Cloud Native Computing Foundation Harbor

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform...

SQL Injection in Cloud Native Computing Foundation Harbor

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform...

GHSA-JR34-MFF8-PC6F SQL Injection in Cloud Native Computing Foundation Harbor

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform...

Privilege Escalation in Cloud Native Computing Foundation Harbor

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform...

GHSA-Q6CJ-6JVQ-JWMH Privilege Escalation in Cloud Native Computing Foundation Harbor

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform...

Credential leak in react-native-fast-image

Overview This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source=uri: "...", headers: host: "somehost.com", authorization: "..." is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other...

@agungkes/react-native-scalable-image (>=1.0.1 <=1.0.2), @applicaster/zapp-react-native-fast-image (>=1.0.0 <=1.1.0-beta.0) +35 more potentially affected by CVE-2020-7696 via react-native-fast-image (>=4.0.14 <=8.2.0)

react-native-fast-image NPM version =4.0.14, =1.0.1, =1.0.0, =1.0.0, =1.8.20, =1.0.21, =0.0.8, =0.0.8, =0.0.1, =0.0.1, =0.10.25, =1.0.113, =1.0.220 - inso-motorbike-liability =1.0.2 and more Source cves: CVE-2020-7696 Source advisory: OSV:GHSA-6XHG-Q9C8-RJ32...

GHSA-6XHG-Q9C8-RJ32 Credential leak in react-native-fast-image

This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source=uri: "...", headers: host: "somehost.com", authorization: "..." is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session toke...