react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
- Severity:
- Medium
Description
Before version v2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices.
Recommendation
Update the react-native-mmkv package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.0
- Patched version(s): 2.11.0
References
Related Issues
- Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548
- sanitize-html Information Exposure vulnerability - CVE-2024-21501
- VvvebJs Arbitrary File Upload vulnerability - CVE-2024-29272
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
- Tags:
- npm
- react-native-mmkv
Anything's wrong? Let us know Last updated on January 19, 2024