Vulnerability Description
This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| React-Native-Fast-Image Project | React-Native-Fast-Image | All versions |
Related Weaknesses (CWE)
References
- https://github.com/DylanVann/react-native-fast-image/issues/690ExploitThird Party Advisory
- https://github.com/DylanVann/react-native-fast-image/pull/691ExploitIssue TrackingThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228ExploitPatchThird Party Advisory
- https://github.com/DylanVann/react-native-fast-image/issues/690ExploitThird Party Advisory
- https://github.com/DylanVann/react-native-fast-image/pull/691ExploitIssue TrackingThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228ExploitPatchThird Party Advisory
FAQ
What is CVE-2020-7696?
CVE-2020-7696 is a vulnerability with a CVSS score of 5.3 (MEDIUM). This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images wi...
How severe is CVE-2020-7696?
CVE-2020-7696 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7696?
Check the references section above for vendor advisories and patch information. Affected products include: React-Native-Fast-Image Project React-Native-Fast-Image.