CVEs

[odemolliens]

react-native-netwatch/package.json

Line 33 in 43cbf35

"xlsx": "^0.18.4"

high
Prototype Pollution in sheetJS
Module: xlsx
Installed version: 0.18.5
Vulnerable: <0.19.3
Patched: >=0.19.3
Published: April 24, 2023 at 9:30:19 AM UTC
CWE-1321
CVE-2023-30533
Overview
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained.

Remediation
Upgrade to version 0.19.3 or later

References
Reasons this module exists
react-native-netwatch>xlsx

[odemolliens]

SheetJS Regular Expression Denial of Service (ReDoS)
Module: xlsx
Installed version: 0.18.5
Vulnerable: <0.20.2
Patched: >=0.20.2
Published: April 5, 2024 at 6:30:46 AM UTC
CWE-1333
CVE-2024-22363
Overview
SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).

Remediation
Upgrade to version 0.20.2 or later

References
https://nvd.nist.gov/vuln/detail/CVE-2024-22363
https://cdn.sheetjs.com/advisories/CVE-2024-22363
https://cwe.mitre.org/data/definitions/1333.html
https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2
GHSA-5pgg-2g8v-p4x9
Reasons this module exists
react-native-netwatch>xlsx

[odemolliens]

File Path: /Users/builder/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/1.17.2/78c7820b205002da4d2d137f6f312bd64b3d6049/okio-1.17.2.jar
MD5: 54a6a8979bd8e64e1fbf21d511654737
SHA1: 78c7820b205002da4d2d137f6f312bd64b3d6049
SHA256:f80ce42d2ffac47ad4c47e1d6f980d604d247ceb1a886705cf4581ab0c9fe2b8
Referenced In Project/Scope:react-native-netwatch:implementationDependenciesMetadata

Evidence
Identifiers
pkg:maven/com.squareup.okio/okio@1.17.2 (Confidence:High)
cpe:2.3:a:squareup:okio:1.17.2:::::::* (Confidence:Highest) suppress
Published Vulnerabilities
CVE-2023-3635 suppress

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[odemolliens]

okhttp-urlconnection-3.14.9.jar
File Path: /Users/builder/.gradle/caches/modules-2/files-2.1/com.squareup.okhttp3/okhttp-urlconnection/3.14.9/c9a3b45b815cf2982415ec8145339f5af58989c3/okhttp-urlconnection-3.14.9.jar
MD5: bdcdca9d98f874bd26dee49b0164ecb3
SHA1: c9a3b45b815cf2982415ec8145339f5af58989c3
SHA256:9dc8725f8f88d291e217bc066fe9e73cf5ac84ab2a559e091480e64151afbc15
Referenced In Project/Scope:react-native-netwatch:implementationDependenciesMetadata

Evidence
Identifiers
pkg:maven/com.squareup.okhttp3/okhttp-urlconnection@3.14.9 (Confidence:High)
cpe:2.3:a:squareup:okhttp:3.14.9:::::::* (Confidence:Highest) suppress
Published Vulnerabilities
CVE-2023-0833 suppress

A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
CWE-209 Information Exposure Through an Error Message

CVSSv3:
Base Score: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

[odemolliens]

okhttp-3.14.9.jar
File Path: /Users/builder/.gradle/caches/modules-2/files-2.1/com.squareup.okhttp3/okhttp/3.14.9/3e6d101343c7ea687cd593e4990f73b25c878383/okhttp-3.14.9.jar
MD5: 69e22f2ccb614cf1bcfcca5cf7711045
SHA1: 3e6d101343c7ea687cd593e4990f73b25c878383
SHA256:2570fab55515cbf881d7a4ceef49fc515490bc027057e666776a2832465aeca0
Referenced In Project/Scope:react-native-netwatch:implementationDependenciesMetadata

Evidence
Identifiers
pkg:maven/com.squareup.okhttp3/okhttp@3.14.9 (Confidence:High)
cpe:2.3:a:squareup:okhttp:3.14.9:::::::* (Confidence:Highest) suppress
Published Vulnerabilities
CVE-2021-0341 (OSSINDEX) suppress

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-0341 for details
CWE-295 Improper Certificate Validation

CVSSv2:
Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:/C:H/I:N/A:N

[odemolliens]

Same for:

react-native-netwatch/android/build.gradle

Line 45 in 43cbf35

implementation 'org.apache.commons:commons-text:1.9'

react-native-netwatch/android/build.gradle

Line 47 in 43cbf35

implementation 'com.google.code.gson:gson:2.8.6'

react-native-netwatch/android/build.gradle

Line 49 in 43cbf35

implementation "com.squareup.okhttp3:okhttp:${safeExtGet('okhttpVersion', '3.14.9')}"

react-native-netwatch/android/build.gradle

Line 50 in 43cbf35

implementation "com.squareup.okhttp3:okhttp-urlconnection:${safeExtGet('okhttpVersion', '3.14.9')}"

react-native-netwatch/android/build.gradle

Line 51 in 43cbf35

implementation "com.squareup.okhttp3:logging-interceptor:${safeExtGet('okhttpVersion', '3.14.9')}"