CVE-2020-7696 - OpenCVE

This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
React-native-fast-image Project	React-native-fast-image

Configuration 1 [-]

cpe:2.3:a:react-native-fast-image_project:react-native-fast-image:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/DylanVann/react-native-fast-image/issues/690	Exploit Third Party Advisory
https://github.com/DylanVann/react-native-fast-image/pull/691	Exploit Issue Tracking Third Party Advisory
https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-07-17T00:00:00

Updated: 2020-07-17T09:25:14

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7696

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-17T10:15:12.467

Modified: 2020-07-22T17:42:33.953

Link: CVE-2020-7696

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "react-native-fast-image", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Andrei Alecu"}], "datePublic": "2020-07-17T00:00:00", "descriptions": [{"lang": "en", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information Exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-17T09:25:14", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}], "title": "Information Exposure", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-07-17T09:22:50.119415Z", "ID": "CVE-2020-7696", "STATE": "PUBLIC", "TITLE": "Information Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "react-native-fast-image", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Andrei Alecu"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}, {"name": "https://github.com/DylanVann/react-native-fast-image/issues/690", "refsource": "MISC", "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"name": "https://github.com/DylanVann/react-native-fast-image/pull/691", "refsource": "MISC", "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7696", "datePublished": "2020-07-17T00:00:00", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-07-17T09:25:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:react-native-fast-image_project:react-native-fast-image:*:*:*:*:*:*:*:*", "matchCriteriaId": "08F2A94F-6529-4117-B798-A6B5741CC615", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete react-native-fast-image. Cuando una imagen es cargada con source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }}, todas las dem\u00e1s im\u00e1genes posteriores usar\u00e1n los mismos encabezados, esto puede conllevar a una firma de credenciales u otros tokens de sesi\u00f3n que han sido filtrados a otros servidores"}], "id": "CVE-2020-7696", "lastModified": "2020-07-22T17:42:33.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-07-17T10:15:12.467", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}