react-native

Problem

Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors. These checks prevent the use of hard-to-secure string manipulation functions. They enforce static memory access checks, and allow only the use of range-verified string parsing functions. While these checks do not prevent every memory corruption issue by themselves, they do help reduce the likelihood.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks minimize the number of security issues by enforcing strict memory access checks. They also prevent the use of hard-to-secure string and memory manipulation functions. To prove the binary has been compiled with these checks enabled, the compiler emits a special debug object. Removing the debug table eliminates this proof. Therefore, this check only applies to binaries that still have their debug tables.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors. These checks prevent the use of hard-to-secure memory manipulation functions. They enforce static memory access checks, and allow only the use of range-verified memory access functions. While these checks do not prevent every memory corruption issue by themselves, they do help reduce the likelihood.

Problem

ASLR (address-space layout randomization) is a mitigation technique that increases the difficulty of performing buffer-overflow attacks that require the attacker to know the address of the program in memory. This is done by loading the program at a randomly selected address in the process' address space. ASLR-enabled kernels can choose a random load address only for position-independent executables and code.

Problem

Address Space Layout Randomization (ASLR) is a vulnerability mitigation option that forces software components to load on a different memory base address each time they are used. This mitigation is detected as enabled, but rendered ineffective since the set load base address forces the 64-bit image to load within the lower 32-bit memory range. Having a smaller memory range makes ASLR more predictable, and it is therefore easier for malicious code to bypass it.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Higher-level programming languages implement structured exception handling by managing their own code flow execution paths. As such, they are subject to code flow hijacking during runtime. Language-specific exception handling mitigation enforces execution integrity by instrumenting calls to manage execution context switching. Any deviation from the known and trusted code flow paths will cause the application to terminate. This makes malicious code less likely to execute.

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. A port number is associated with a network address of a host, such as an IP address, and the type of network protocol used for communication. Within URLs, the ports are optional. Ports can be specified in a URL immediately following the domain name. Each network protocol, or schema, has a set of standard ports on which the service operates. This issue is raised when a mismatch between a network protocol and its expected port number is detected. While the presence of non-standard ports does not imply malicious intent, all of their uses in a software package should be documented and approved.