Dependency security vulnerabilities

[Korbut-Yura]

I'm using the last versions of Firebase products for my React-Native project. According to SAST testing, we've found some dependency security vulnerabilities in pods, which are used as sub-dependencies Firebase. Is there any information about fixing these vulnerabilities or updating sub-dependencies?
I'm using
"@react-native-firebase/analytics": "10.5.1",
"@react-native-firebase/app": "10.5.0",
"@react-native-firebase/auth": "10.5.1",
"@react-native-firebase/crashlytics": "10.5.1",
"@react-native-firebase/dynamic-links": "10.5.1",
"@react-native-firebase/firestore": "10.5.1",
"@react-native-firebase/functions": "10.5.1",
"@react-native-firebase/remote-config": "10.5.1",
"@react-native-firebase/storage": "10.5.1",
Vulnerabilities are sub-dependencies of Firebase/Firestore, Firebase/Analytics pods
SAST report added in attachments
vulnerabilities report.pdf

[paulb777]

Thanks for the report. However, there is not actionable feedback in this report:

• The gRPC points are to a 2017 gRPC version
• The GoogleUtilities points refer to unknown versions and unspecified code
• The abseil points refer to unknown versions and unspecified code

Please provide more clarity.

[Korbut-Yura]

Structure of sub-dependencies of pods

• FirebaseFirestore (7.4.0):
  • gRPC-C++ (1.28.2):
    • gRPC-C++/Implementation (1.28.2):
      • gRPC-Core (1.28.2):
        • gRPC-Core/Implementation (1.28.2):
          - BoringSSL-GRPC(0.0.7)
  • abseil/base (0.20200225.0):
    - abseil/base/throw_delegate (=0.20200225.0)
• FirebaseAnalytics (7.4.0):
  -GoogleUtilities/AppDelegateSwizzler (~>7.0)
• FirebaseAuth (7.4.0):
  -GoogleUtilities/AppDelegateSwizzler (~>7.0)

Is the information actionable?

[paulb777]

Thanks, but we would need to know specifically where in the sub-dependencies the security vulnerabilities are.

[Korbut-Yura]

I've marked these dependencies as bold

• BoringSSL-GRPC(0.0.7)
• GoogleUtilities/AppDelegateSwizzler (~>7.0)
• abseil/base/throw_delegate (=0.20200225.0)

[EPAM-Benefits-Club]

BoringSSL-GRPC 0.0.7: 

• Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.
• Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c. 
• Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.
• Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c. 
• Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
• Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c. 
• Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.  
• Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c. 
• The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
• The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
  --
  GoogleUtilities/AppDelegateSwizzler 7.2.0: 
• Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays."
• Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays." 
• The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.  
• The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. 
  --
  abseil/base/throw_delegate 0.20200225.0: 
• Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays."
• Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays." 
• The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
• The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. 
• Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions.
• Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions.