GHSA-4JH3-6JHV-2MGP

Vulnerability from github – Published: 2024-01-09 19:33 – Updated: 2024-01-09 21:52
VLAI?
Summary
react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
Details

Summary

Before version v2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices.

Details

The bridge for communicating between JS code and native code on Android logs the encryption key. This was fixed in commit a8995cc by only logging whether encryption is used.

Impact

The encryption of an MMKV database protects data from higher privilege processes on the phone that can access the app storage. Additionally, if data in the app's storage is encrypted, it is also encrypted in potential backups. By logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an app's thread model.

The bug was discovered and fixed by somebody else. Not me. I'm just reporting this so users of react-native-mmkv upgrade the dependency.

Severity ?
4.4 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-native-mmkv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T19:33:09Z",
    "nvd_published_at": "2024-01-09T19:15:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nBefore version [v2.11.0](https://github.com/mrousavy/react-native-mmkv/releases/tag/v2.11.0), the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices.\n\n## Details\nThe bridge for communicating between JS code and native code on Android logs the encryption key. This was fixed in commit [a8995cc](https://github.com/mrousavy/react-native-mmkv/commit/a8995ccb7184281f7d168bad3e9987c9bd05f00d) by only logging whether encryption is used.\n\n## Impact\nThe encryption of an MMKV database protects data from higher privilege processes on the phone that can access the app storage. Additionally, if data in the app\u0027s storage is encrypted, it is also encrypted in potential backups.\nBy logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an app\u0027s thread model.\n\nThe bug was discovered and fixed by somebody else. Not me. I\u0027m just reporting this so users of react-native-mmkv upgrade the dependency.",
  "id": "GHSA-4jh3-6jhv-2mgp",
  "modified": "2024-01-09T21:52:47Z",
  "published": "2024-01-09T19:33:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mrousavy/react-native-mmkv/security/advisories/GHSA-4jh3-6jhv-2mgp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21668"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrousavy/react-native-mmkv/commit/a8995ccb7184281f7d168bad3e9987c9bd05f00d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mrousavy/react-native-mmkv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrousavy/react-native-mmkv/releases/tag/v2.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "react-native-mmkv Insertion of Sensitive Information into Log File vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.