Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

react-native-codegen 0.0.7 transitive package unset-value/1.0.0 have known vulnerability security issue #35032

Closed
NarahariTagili-Eaton opened this issue Oct 20, 2022 · 4 comments
Closed

react-native-codegen 0.0.7 transitive package unset-value/1.0.0 have known vulnerability security issue #35032

NarahariTagili-Eaton opened this issue Oct 20, 2022 · 4 comments
Labels
Impact: Security If the issue is causes a vulnerability Resolution: Fixed A PR that fixes this issue has been merged. Tech: Codegen Related to react-native-codegen Type: Security

Comments

@NarahariTagili-Eaton
Copy link

Description

react-native-codegen 0.0.7 transitive package unset-value/1.0.0.0 have known vulnerability security issues.
We are using unset-value/1.0.0 transitive package under react-native-codegen 0.0.7 library, unset-value/1.0.0 transitive package having security issue ie.. unset-value is vulnerable to a prototype pollution attack. A remote attacker may be able to execute arbitrary code or cause a denial-of-service (DoS) by tricking the library into modifying or adding properties of Object.prototype. and CVE: BDSA-2021-4507
RCE

We would expect to fix BDSA-2021-4507
RCE) for unset-value/1.0.0 transitive package, upgrading react-native-codegen 0.0.7 latest version

Version

react-native-codegen 0.0.7

Output of npx react-native info

npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated uglify-es@3.3.9: support for ECMAScript is superseded by uglify-js as of v3.13.0

Steps to reproduce

Run the SCA using Blackduck found transitive package unset-value/1.0.0.0 vulnerable and CVE: BDSA-2021-4507
RCE

Snack, code example, screenshot, or link to a repository

NA
@cortinico
Copy link
Contributor

cortinico commented Oct 21, 2022
edited
Loading

That's a valid report, but we'll have to bump jscodeshift to 0.14.0 inside react-native-codegen.

@cortinico cortinico added Type: Security Tech: Codegen Related to react-native-codegen Impact: Security If the issue is causes a vulnerability and removed Needs: Triage 🔍 labels Oct 21, 2022
@Nyazuki
Copy link

Nyazuki commented Nov 15, 2022

+1 on this vulnerability issue.

Report:

According to: https://github.com/facebook/jscodeshift/blob/main/CHANGELOG.md, it should have no unexpected breaking changes to upgrade from current ^0.13.1 to ^0.14.0.

@cortinico It looks like an easy version pump, any thoughts/updates?

@Nyazuki
Copy link

Nyazuki commented Nov 18, 2022

looks like the version is now upgraded: #35356

@cortinico
Copy link
Contributor

Indeed so we can close this

@cortinico cortinico added the Resolution: Fixed A PR that fixes this issue has been merged. label Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Impact: Security If the issue is causes a vulnerability Resolution: Fixed A PR that fixes this issue has been merged. Tech: Codegen Related to react-native-codegen Type: Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cortinico @Nyazuki @NarahariTagili-Eaton