Pfadi-Nunenen/nuenenen_app

CVE-2021-21401 (High) detected in nanopb/decode-1.30906.0, nanopb-1.30906.0

Closed this issue · 0 comments

mend-bolt-for-github commented

CVE-2021-21401 - High Severity Vulnerability

Vulnerable Libraries - nanopb/decode-1.30906.0, nanopb-1.30906.0

nanopb/decode-1.30906.0

Nanopb is a small code-size Protocol Buffers implementation in ansi C. It is especially suitable for use in microcontrollers, but fits any memory restricted system.

Library home page: https://github.com/nanopb/nanopb/archive/0.3.9.6.zip

Path to dependency file: nuenenen/ios/Podfile.lock

Path to vulnerable library: nuenenen/ios/Podfile.lock

Dependency Hierarchy:

  • firebase_core-0.5.3 (Root Library)
    • Firebase/CoreOnly-6.33.0
      • FirebaseCore-6.10.3
        • FirebaseCoreDiagnostics-1.7.0
          • GoogleDataTransport-7.5.1
            • nanopb-1.30906.0
              • nanopb/decode-1.30906.0 (Vulnerable Library)
nanopb-1.30906.0

Nanopb is a small code-size Protocol Buffers implementation in ansi C. It is especially suitable for use in microcontrollers, but fits any memory restricted system.

Library home page: https://github.com/nanopb/nanopb/archive/0.3.9.6.zip

Path to dependency file: nuenenen/ios/Podfile.lock

Path to vulnerable library: nuenenen/ios/Podfile.lock

Dependency Hierarchy:

  • firebase_core-0.5.3 (Root Library)
    • Firebase/CoreOnly-6.33.0
      • FirebaseCore-6.10.3
        • FirebaseCoreDiagnostics-1.7.0
          • GoogleDataTransport-7.5.1
            • nanopb-1.30906.0 (Vulnerable Library)

Found in HEAD commit: b3b668f4977d27ec208c2f2043c38c4c9ad83eb0

Found in base branch: master

Vulnerability Details

Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.

Publish Date: 2021-03-23

URL: CVE-2021-21401

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7mv5-5mxh-qg88

Release Date: 2021-03-23

Fix Resolution: nanopb - 0.3.9.8,0.4.5

Step up your Open Source Security Game with WhiteSource here