CVE-2021-24033

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

CVSS v3 5.6 MEDIUM
CVSS v2.0 6.8 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/facebook/create-react-app/pull/10644	Exploit Patch Third Party Advisory
https://www.facebook.com/security/advisories/cve-2021-24033	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*

History

16 Mar 2021, 18:34

Type	Values Removed	Values Added
CVSS	v2 : ~~6.8~~ v3 : ~~7.8~~	v2 : 6.8 v3 : 5.6

12 Mar 2021, 18:00

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 7.8
References	~~(MISC) https://github.com/facebook/create-react-app/pull/10644 -~~	(MISC) https://github.com/facebook/create-react-app/pull/10644 - Exploit, Patch, Third Party Advisory
References	~~(CONFIRM) https://www.facebook.com/security/advisories/cve-2021-24033 -~~	(CONFIRM) https://www.facebook.com/security/advisories/cve-2021-24033 - Vendor Advisory
CPE		cpe:2.3:a:facebook:react-dev-utils::::::::
CWE		CWE-78

09 Mar 2021, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-03-09 01:15

Updated : 2023-12-10 13:41

NVD link : CVE-2021-24033

Mitre link : CVE-2021-24033

CVE.ORG link : CVE-2021-24033

JSON object : View

Products Affected

facebook

react-dev-utils

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2021-24033", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}]}, "published": "2021-03-09T01:15:13.433", "references": [{"url": "https://github.com/facebook/create-react-app/pull/10644", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve-assign@fb.com"}, {"url": "https://www.facebook.com/security/advisories/cve-2021-24033", "tags": ["Vendor Advisory"], "source": "cve-assign@fb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "cve-assign@fb.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."}, {"lang": "es", "value": "react-dev-utils anterior a versi\u00f3n v11.0.4, expone una funci\u00f3n, getProcessForPort, donde un argumento de entrada se concatena en una cadena de comando para ser ejecutado. Esta funci\u00f3n se usa generalmente desde react-scripts (en los proyectos de Create React App), donde el uso es seguro. Solo cuando esta funci\u00f3n se invoca manualmente con valores proporcionados por el usuario (es decir, mediante c\u00f3digo personalizado) existe la posibilidad de inyecci\u00f3n de comandos. Si lo consume desde react-scripts, este problema no le afecta"}], "lastModified": "2021-03-16T18:34:51.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A233E720-E5C4-48BD-B589-5A16D11BEFEE", "versionEndExcluding": "11.0.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve-assign@fb.com"}