CVE-2020-7696 - OpenCVE

This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
React-native-fast-image Project	React-native-fast-image

Configuration 1 [-]

cpe:2.3:a:react-native-fast-image_project:react-native-fast-image:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/DylanVann/react-native-fast-image/issues/690
https://github.com/DylanVann/react-native-fast-image/pull/691
https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-07-17T09:25:15.060866Z

Updated: 2024-09-16T18:29:42.271Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7696

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-17T10:15:12.467

Modified: 2020-07-22T17:42:33.953

Link: CVE-2020-7696

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "react-native-fast-image", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Andrei Alecu"}], "datePublic": "2020-07-17T00:00:00", "descriptions": [{"lang": "en", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information Exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-17T09:25:14", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}], "title": "Information Exposure", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-07-17T09:22:50.119415Z", "ID": "CVE-2020-7696", "STATE": "PUBLIC", "TITLE": "Information Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "react-native-fast-image", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Andrei Alecu"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}, {"name": "https://github.com/DylanVann/react-native-fast-image/issues/690", "refsource": "MISC", "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"name": "https://github.com/DylanVann/react-native-fast-image/pull/691", "refsource": "MISC", "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.543Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7696", "datePublished": "2020-07-17T09:25:15.060866Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T18:29:42.271Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:react-native-fast-image_project:react-native-fast-image:*:*:*:*:*:*:*:*", "matchCriteriaId": "08F2A94F-6529-4117-B798-A6B5741CC615", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects all versions of package react-native-fast-image. When an image with source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete react-native-fast-image. Cuando una imagen es cargada con source={{uri: \"...\", headers: { host: \"somehost.com\", authorization: \"...\" }}, todas las dem\u00e1s im\u00e1genes posteriores usar\u00e1n los mismos encabezados, esto puede conllevar a una firma de credenciales u otros tokens de sesi\u00f3n que han sido filtrados a otros servidores"}], "id": "CVE-2020-7696", "lastModified": "2020-07-22T17:42:33.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-07-17T10:15:12.467", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/DylanVann/react-native-fast-image/issues/690"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/DylanVann/react-native-fast-image/pull/691"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}