SCA: security update for react-native-mmkv (GHSA-4jh3-6jhv-2mgp)

medium Tenable Self-Hosted Container Security Plugin ID 410248

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before
version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the
Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if
it is enabled in the phone settings. This bug is not present on iOS devices. By logging the encryption
secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an
app's thread model. This issue has been patched in version 2.11.0. (CVE-2024-21668)

See Also

https://github.com/advisories/GHSA-4jh3-6jhv-2mgp

Plugin Details

Severity: Medium

ID: 410248

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2024-21668

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/9/2024

Vulnerability Publication Date: 1/9/2024

Reference Information

CVE: CVE-2024-21668

cwe: CWE-532