search

Path-Check / gaen-mobile

The mobile application supporting the GAEN Exposure Notifications protocol.
MIT License
42 stars 36 forks source link

CVE-2021-22878 (Medium) detected in multiple libraries #874

Closed mend-bolt-for-github[bot] closed 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2021-22878 - Medium Severity Vulnerability

Vulnerable Libraries - RealmSwift-10.1.1, Flipper-Folly-2.3.0, YogaKit-1.18.1, Yoga-1.14.0, Realm-10.1.1, Flipper-RSocket-1.1.0, Realm/Headers-10.1.1

RealmSwift-10.1.1

The Realm Mobile Database, for Swift. (If you want to use Realm from Objective-C, see the “Realm” pod.) The Realm Mobile Database is a fast, easy-to-use replacement for Core Data & SQLite. Use it with the Realm Mobile Platform for realtime, automatic data sync. Works on iOS, macOS, tvOS & watchOS. Learn more and get help at https://realm.io.

Library home page: https://github.com/realm/realm-cocoa/archive/v10.1.1.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - :x: **RealmSwift-10.1.1** (Vulnerable Library)

Flipper-Folly-2.3.0

Library home page: https://github.com/facebook/folly/archive/v2020.04.06.00.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock,gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - Flipper-RSocket-1.1.0 (Root Library) - :x: **Flipper-Folly-2.3.0** (Vulnerable Library)

YogaKit-1.18.1

Yoga is a cross-platform layout engine enabling maximum collaboration within your team by implementing an API many designers are familiar with, and opening it up to developers across different platforms.

Library home page: https://github.com/facebook/yoga/archive/1.18.0.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - FlipperKit/FlipperKitLayoutPlugin-0.62.0 (Root Library) - :x: **YogaKit-1.18.1** (Vulnerable Library)

Yoga-1.14.0

Yoga is a cross-platform layout engine enabling maximum collaboration within your team by implementing an API many designers are familiar with, and opening it up to developers across different platforms.

Library home page: https://github.com/facebook/yoga/archive/1.14.0.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock,gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - react-native-splash-screen-3.2.0 (Root Library) - React-0.63.4 - React-Core-0.63.4 - React-Core/Default-0.63.4 - :x: **Yoga-1.14.0** (Vulnerable Library)

Realm-10.1.1

The Realm Mobile Database, for Objective-C. (If you want to use Realm from Swift, see the “RealmSwift” pod.) The Realm Mobile Database is a fast, easy-to-use replacement for Core Data & SQLite. Use it with the Realm Mobile Platform for realtime, automatic data sync. Works on iOS, macOS, tvOS & watchOS. Learn more and get help at https://realm.io.

Library home page: https://github.com/realm/realm-cocoa/archive/v10.1.1.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock,gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - :x: **Realm-10.1.1** (Vulnerable Library)

Flipper-RSocket-1.1.0

Library home page: https://github.com/priteshrnandgaonkar/rsocket-cpp/archive/0.11.0.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock,gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - :x: **Flipper-RSocket-1.1.0** (Vulnerable Library)

Realm/Headers-10.1.1

The Realm Mobile Database, for Objective-C. (If you want to use Realm from Swift, see the “RealmSwift” pod.) The Realm Mobile Database is a fast, easy-to-use replacement for Core Data & SQLite. Use it with the Realm Mobile Platform for realtime, automatic data sync. Works on iOS, macOS, tvOS & watchOS. Learn more and get help at https://realm.io.

Library home page: https://github.com/realm/realm-cocoa/archive/v10.1.1.zip

Path to dependency file: gaen-mobile/ios/Podfile.lock

Path to vulnerable library: gaen-mobile/ios/Podfile.lock

Dependency Hierarchy: - Realm-10.1.1 (Root Library) - :x: **Realm/Headers-10.1.1** (Vulnerable Library)

Found in HEAD commit: b3db907b448e28dda0f9df14442cf20a695d1210

Found in base branch: develop

Vulnerability Details

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

Publish Date: 2021-03-03

URL: CVE-2021-22878

CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nextcloud.com/security/advisory/?id=NC-SA-2021-005

Release Date: 2021-03-03

Fix Resolution: v20.0.6

Step up your Open Source Security Game with WhiteSource here

si1k commented 3 years ago

False-positive as gaen-mobile does not leverage Nextcloud. Can be safely closed. Ticket filed with WhiteSource.