CVE-2018-19756 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-19756 - Medium Severity Vulnerability

Vulnerable Library - expoios/2.10.6

The Expo platform for making cross-platform mobile apps

Library home page: https://github.com/expo/expo.git

Found in HEAD commit: 92b616dd37b17a4708b228c5e7f485e1b79c0f02

Library Source Files (45)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTLayerGroup.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/LOTAnimatedSwitch.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTAssetGroup.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/Lottie.h
• /Jobinator-Frontend/node_modules/expo-gl-cpp/cpp/stb_image.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/MacCompatibility/UIBezierPath.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Extensions/LOTBezierPath.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/AnimatableProperties/LOTBezierData.h
• /Jobinator-Frontend/node_modules/react-native-gesture-handler/ios/RNGestureHandlerManager.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/LOTAnimationView_Compat.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTLayer.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/RNBranchAgingDictionary.m
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/RenderSystem/InterpolatorNodes/LOTValueInterpolator.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/AnimatableProperties/LOTKeyframe.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/Branch-SDK/Branch-SDK/Networking/Requests/BranchShortUrlRequest.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/LOTAnimationCache.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeRepeater.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeFill.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeRectangle.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/LOTCacheProvider.h
• /Jobinator-Frontend/node_modules/react-native-svg/ios/Elements/RNSVGSymbol.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeStroke.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/AnimatableLayers/LOTCompositionContainer.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTModels.h
• /Jobinator-Frontend/node_modules/react-native-svg/ios/ViewManagers/RNSVGSymbolManager.m
• /Jobinator-Frontend/node_modules/react-native-branch/ios/Branch-SDK/Fabric/Answers.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/MacCompatibility/UIColor.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTMask.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/Branch-SDK/Fabric/FABKitProtocol.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/Branch-SDK/Fabric/Fabric.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeGradientFill.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTAsset.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Extensions/UIColor+Expanded.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/NSObject+RNBranch.m
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/MacCompatibility/LOTPlatformCompat.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeCircle.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/Branch-SDK/Fabric/Fabric+FABKits.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeTransform.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/PublicHeaders/LOTValueCallback.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/BranchLinkProperties+RNBranch.m
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/AnimatableLayers/LOTLayerContainer.h
• /Jobinator-Frontend/node_modules/react-native-branch/ios/RNBranchProperty.m
• /Jobinator-Frontend/node_modules/react-native-svg/ios/ViewManagers/RNSVGNodeManager.m
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/RenderSystem/InterpolatorNodes/LOTTransformInterpolator.h
• /Jobinator-Frontend/node_modules/lottie-ios/lottie-ios/Classes/Models/LOTShapeStar.h

Vulnerability Details

There is a heap-based buffer over-read at stb_image.h (function: stbi__tga_load) in libsixel 1.8.2 that will cause a denial of service.

Publish Date: 2018-11-30

URL: CVE-2018-19756

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with WhiteSource here