CVE-2021-24033

Published: Mar 9, 2021Modified: Nov 21, 2024

5.6

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.2 / Impact: 3.4

Source: NVD

Description

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Affected (1)

Products: Facebook: React Dev Utils

1 product

React Dev Utils

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Facebook React Dev Utils	Before 11.0.4

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://github.com/facebook/create-react-app/pull/10644

Source: cve-assign@fb.com

ExploitPatchThird Party Advisory

https://www.facebook.com/security/advisories/cve-2021-24033

Source: cve-assign@fb.com

Vendor Advisory

https://github.com/facebook/create-react-app/pull/10644

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://www.facebook.com/security/advisories/cve-2021-24033

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.