Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability in Example App: OpenSSL-Universal 1.1.1100 #224

Open
cristianmgb opened this issue Nov 20, 2024 · 0 comments
Open

Comments

@cristianmgb
Copy link

Description:
Hello,

I want to report a potential security vulnerability in the example app of this library. The issue arises due to the inclusion of OpenSSL-Universal version 1.1.1100 in the file Podfile.lock of the iOS example project.

Details:

  • File Path: node_modules/react-native-qrcode-svg/Example/ios/Podfile.lock
  • Identifiers:
    • pkg:cocoapods/[email protected] (Confidence: Highest)
    • cpe:2.3:a:openssl:openssl:1.1.1100:*:*:*:*:*:*:* (Confidence: Low)

Vulnerability Reference:

  • CVE-2021-3711: This version of OpenSSL is affected by a buffer overflow vulnerability related to SM2 decryption (classified as CWE-120: Classic Buffer Overflow).
  • Severity:
    • CVSSv2: High (7.5)
    • CVSSv3: Critical (9.8)

Recommended Action:

It is advisable to update the Podfile.lock in the example app to use a patched version of OpenSSL-Universal, ideally version 1.1.1l or later, as this vulnerability is fixed in those releases.

Notes:

While this issue might not directly impact users of the library (as it is in the example app), having vulnerable dependencies in any part of the project could be problematic.

Thank you for addressing this, and please let me know if more details are needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant