Miggo Logo

CVE-2024-21668: react-native-mmkv Insertion of Sensitive Information into Log File vulnerability

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.55562%
Published
1/9/2024
Updated
1/19/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-native-mmkvnpm< 2.11.02.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Android native code bridge logging the encryption key during MMKV instance creation. The commit a8995cc specifically modifies the logging statement in MmkvHostObject.cpp's constructor to stop printing cryptKey.c_str() and instead log a boolean indicating encryption status. This directly matches the CWE-532 description of sensitive information in logs, and the function's role in initializing the database with cryptographic material makes it the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry ***or* v*rsion [v*.**.*](*ttps://*it*u*.*om/mrous*vy/r***t-n*tiv*-mmkv/r*l**s*s/t**/v*.**.*), t** r***t-n*tiv*-mmkv lo**** t** option*l *n*ryption k*y *or t** MMKV **t***s* into t** *n*roi* syst*m lo*. T** k*y **n ** o*t*in** *y *nyon* wit

Reasoning

T** vuln*r**ility st*ms *rom t** *n*roi* n*tiv* *o** *ri*** lo**in* t** *n*ryption k*y *urin* MMKV inst*n** *r**tion. T** *ommit ******* sp**i*i**lly mo*i*i*s t** lo**in* st*t*m*nt in `Mmkv*ostO*j**t.*pp`'s *onstru*tor to stop printin* `*ryptK*y.*_st
CVE-2024-21668: RN-MMKV Android Key Log Leak | Miggo