4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21668

GHSA ID

GHSA-4jh3-6jhv-2mgp

EPSS Score

0.55562%

CWE

CWE-532

Published

1/9/2024

Updated

1/19/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21668

CVE-2024-21668: react-native-mmkv Insertion of Sensitive Information into Log File vulnerability

Summary

Before version v2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices.

Details

The bridge for communicating between JS code and native code on Android logs the encryption key. This was fixed in commit a8995cc by only logging whether encryption is used.

Impact

The encryption of an MMKV database protects data from higher privilege processes on the phone that can access the app storage. Additionally, if data in the app's storage is encrypted, it is also encrypted in potential backups. By logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an app's thread model.

The bug was discovered and fixed by somebody else. Not me. I'm just reporting this so users of react-native-mmkv upgrade the dependency.

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21668

GHSA ID

GHSA-4jh3-6jhv-2mgp

EPSS Score

0.55562%

CWE

CWE-532

Published

1/9/2024

Updated

1/19/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-native-mmkv	npm	< 2.11.0	2.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the Android native code bridge logging the encryption key during MMKV instance creation. The commit a8995cc specifically modifies the logging statement in MmkvHostObject.cpp's constructor to stop printing cryptKey.c_str() and instead log a boolean indicating encryption status. This directly matches the CWE-532 description of sensitive information in logs, and the function's role in initializing the database with cryptographic material makes it the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry ***or* v*rsion [v*.**.*](*ttps://*it*u*.*om/mrous*vy/r***t-n*tiv*-mmkv/r*l**s*s/t**/v*.**.*), t** r***t-n*tiv*-mmkv lo**** t** option*l *n*ryption k*y *or t** MMKV **t***s* into t** *n*roi* syst*m lo*. T** k*y **n ** o*t*in** *y *nyon* wit

Reasoning

T** vuln*r**ility st*ms *rom t** *n*roi* n*tiv* *o** *ri*** lo**in* t** *n*ryption k*y *urin* MMKV inst*n** *r**tion. T** *ommit ******* sp**i*i**lly mo*i*i*s t** lo**in* st*t*m*nt in `Mmkv*ostO*j**t.*pp`'s *onstru*tor to stop printin* `*ryptK*y.*_st

4.4

Basic Information

Concerned about an active attack path?

CVE-2024-21668: react-native-mmkv Insertion of Sensitive Information into Log File vulnerability

Summary

Details

Impact

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI