Описание
Credential leak in react-native-fast-image
This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-7696
- https://github.com/DylanVann/react-native-fast-image/issues/690
- https://github.com/DylanVann/react-native-fast-image/pull/691
- https://github.com/DylanVann/react-native-fast-image/commit/4a7cd64f5b0aa40b04d63ccb105ee2b511abe624
- https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228
Пакеты
Наименование
react-native-fast-image
npm
Затронутые версииВерсия исправления
< 8.3.0
8.3.0
Связанные уязвимости
CVSS3: 5.3
nvd
больше 5 лет назад
This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.