opentok / opentok-macos-sdk-samples

MIT License
2 stars 1 forks source link

VonageWebRTC-99.2.39: 1 vulnerabilities (highest severity is: 7.5) #8

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - VonageWebRTC-99.2.39

Vonages WebRTC native library in Vonage products. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications capabilities via simple APIs.

Library home page: https://d3opqjmqzxf057.cloudfront.net/vonage-webrtc/pod/vonagewebrtc/release/99.2.39/VonageWebRTC-99.2.39.zip

Path to dependency file: /Basic-Video-Chat/Podfile.lock

Path to vulnerable library: /Basic-Video-Chat/Podfile.lock,/Custom-Audio-Driver/Podfile.lock,/Custom-Audio-Driver/Podfile.lock,/Basic-Video-Chat-Metal/Podfile.lock,/Custom-Video-Capturer/Podfile.lock,/Screen-Sharing/Podfile.lock,/Screen-Sharing/Podfile.lock,/Custom-Video-Capturer/Podfile.lock,/Basic-Video-Chat-Metal/Podfile.lock,/Basic-Video-Chat/Podfile.lock,/Simple-Multiparty/Podfile.lock,/Simple-Multiparty/Podfile.lock

Found in HEAD commit: 2e96e1e71ef954a9b7b240379b744c36283fe62b

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (VonageWebRTC version) Remediation Available
CVE-2023-0705 High 7.5 VonageWebRTC-99.2.39 Direct 110.0.5421.0

Details

CVE-2023-0705 ### Vulnerable Library - VonageWebRTC-99.2.39

Vonages WebRTC native library in Vonage products. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications capabilities via simple APIs.

Library home page: https://d3opqjmqzxf057.cloudfront.net/vonage-webrtc/pod/vonagewebrtc/release/99.2.39/VonageWebRTC-99.2.39.zip

Path to dependency file: /Basic-Video-Chat/Podfile.lock

Path to vulnerable library: /Basic-Video-Chat/Podfile.lock,/Custom-Audio-Driver/Podfile.lock,/Custom-Audio-Driver/Podfile.lock,/Basic-Video-Chat-Metal/Podfile.lock,/Custom-Video-Capturer/Podfile.lock,/Screen-Sharing/Podfile.lock,/Screen-Sharing/Podfile.lock,/Custom-Video-Capturer/Podfile.lock,/Basic-Video-Chat-Metal/Podfile.lock,/Basic-Video-Chat/Podfile.lock,/Simple-Multiparty/Podfile.lock,/Simple-Multiparty/Podfile.lock

Dependency Hierarchy: - :x: **VonageWebRTC-99.2.39** (Vulnerable Library)

Found in HEAD commit: 2e96e1e71ef954a9b7b240379b744c36283fe62b

Found in base branch: main

### Vulnerability Details

Integer overflow in Core in Google Chrome prior to 110.0.5481.77 allowed a remote attacker who had one a race condition to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

Publish Date: 2023-02-07

URL: CVE-2023-0705

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-02-07

Fix Resolution: 110.0.5421.0

v-kpheng commented 1 year ago

Closing, since this doesn't impact the native SDK, given we use libwebrtc, and not "Chrome".