CVE-2021-24033 - OpenCVE

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Facebook	React-dev-utils

Configuration 1 [-]

cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/facebook/create-react-app/pull/10644
https://nvd.nist.gov/vuln/detail/CVE-2021-24033
https://www.cve.org/CVERecord?id=CVE-2021-24033
https://www.facebook.com/security/advisories/cve-2021-24033

History

No history.

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2021-03-09T00:25:13

Updated: 2024-08-03T19:21:17.286Z

Reserved: 2021-01-13T00:00:00

Link: CVE-2021-24033

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-09T01:15:13.433

Modified: 2021-03-16T18:34:51.430

Link: CVE-2021-24033

Redhat

Severity : Moderate

Publid Date: 2021-03-09T00:00:00Z

Links: CVE-2021-24033 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "react-dev-utils", "vendor": "Facebook", "versions": [{"lessThan": "unspecified", "status": "unaffected", "version": "11.0.4 ", "versionType": "custom"}, {"lessThan": "11.0.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "dateAssigned": "2021-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command (CWE-78)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-09T00:25:13", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/facebook/create-react-app/pull/10644"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.facebook.com/security/advisories/cve-2021-24033"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2021-03-04", "ID": "CVE-2021-24033", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "react-dev-utils", "version": {"version_data": [{"version_affected": "!>=", "version_value": "11.0.4 "}, {"version_affected": "<", "version_value": "11.0.4"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Special Elements used in an OS Command (CWE-78)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/facebook/create-react-app/pull/10644", "refsource": "MISC", "url": "https://github.com/facebook/create-react-app/pull/10644"}, {"name": "https://www.facebook.com/security/advisories/cve-2021-24033", "refsource": "CONFIRM", "url": "https://www.facebook.com/security/advisories/cve-2021-24033"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:17.286Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/facebook/create-react-app/pull/10644"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.facebook.com/security/advisories/cve-2021-24033"}]}]}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2021-24033", "datePublished": "2021-03-09T00:25:13", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2024-08-03T19:21:17.286Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*", "matchCriteriaId": "A233E720-E5C4-48BD-B589-5A16D11BEFEE", "versionEndExcluding": "11.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."}, {"lang": "es", "value": "react-dev-utils anterior a versi\u00f3n v11.0.4, expone una funci\u00f3n, getProcessForPort, donde un argumento de entrada se concatena en una cadena de comando para ser ejecutado. Esta funci\u00f3n se usa generalmente desde react-scripts (en los proyectos de Create React App), donde el uso es seguro. Solo cuando esta funci\u00f3n se invoca manualmente con valores proporcionados por el usuario (es decir, mediante c\u00f3digo personalizado) existe la posibilidad de inyecci\u00f3n de comandos. Si lo consume desde react-scripts, este problema no le afecta"}], "id": "CVE-2021-24033", "lastModified": "2021-03-16T18:34:51.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-09T01:15:13.433", "references": [{"source": "cve-assign@fb.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/facebook/create-react-app/pull/10644"}, {"source": "cve-assign@fb.com", "tags": ["Vendor Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2021-24033"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve-assign@fb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs-react-dev-utils: function getProcessForPort concatenates input argument into a command string", "id": "1936805", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1936805"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-20->CWE-77", "details": ["react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."], "name": "CVE-2021-24033", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "react-dev-utils", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "react-dev-utils", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-03-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-24033\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-24033\nhttps://github.com/facebook/create-react-app/pull/10644\nhttps://www.facebook.com/security/advisories/cve-2021-24033"], "threat_severity": "Moderate", "upstream_fix": "nodejs-react-dev-utils 11.0.4"}