react-native-code-push icon indicating copy to clipboard operation
react-native-code-push copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Looks like the Security vulnerability due to using com.nimbusds:nimbus-jose-jwt still exists

Open sizhe-eb opened this issue 8 months ago • 4 comments

Steps to Reproduce

We are using the MobSF platform to do a static analysis and got "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks." warning. And it's related to these two files:

  • com/nimbusds/jose/crypto/impl/AESCBC.java
  • com/nimbusds/jose/jca/JCASupport.java

Upgrade the react-naive-code-push to the latest version 8.2.2, this warning is still exist. But disappear after removing it form the project.

Expected Behavior

The warning should disappear with the latest version 8.2.2

Reproducible Demo

image

Environment

  • react-native-code-push version: v8.2.2
  • react-native version: 0.74.1
  • iOS/Android/Windows version: SDK34
  • Does this reproduce on a debug build or release build? Release
  • Does this reproduce on a simulator, or only on a physical device?

sizhe-eb avatar Jun 17 '24 09:06 sizhe-eb