nexmo-community / react-native-app-to-phone

MIT License
0 stars 1 forks source link

React-RCTImage-0.63.4: 1 vulnerabilities (highest severity is: 5.3) - autoclosed #6

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - React-RCTImage-0.63.4

Path to dependency file: /ios/Podfile.lock

Path to vulnerable library: /ios/Podfile.lock

Found in HEAD commit: 2f2260d09a9a985504532f0e371622b4c6076527

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (React-RCTImage version) Remediation Available
CVE-2012-2677 Medium 5.3 boost-for-react-native-1.63.0 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2012-2677 ### Vulnerable Library - boost-for-react-native-1.63.0

Library home page: https://github.com/react-native-community/boost-for-react-native/archive/v1.63.0-0.zip

Path to dependency file: /ios/Podfile.lock

Path to vulnerable library: /ios/Podfile.lock

Dependency Hierarchy: - React-RCTImage-0.63.4 (Root Library) - React-jsi-0.63.4 - :x: **boost-for-react-native-1.63.0** (Vulnerable Library)

Found in HEAD commit: 2f2260d09a9a985504532f0e371622b4c6076527

Found in base branch: main

### Vulnerability Details

Integer overflow in the ordered_malloc function in boost/pool/pool.hpp in Boost Pool before 3.9 makes it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large memory chunk size value, which causes less memory to be allocated than expected.

Publish Date: 2012-07-25

URL: CVE-2012-2677

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2012-07-25

Fix Resolution: boost-1.80.0

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.