CVE-2021-24033 Vulnerability Details

  /     /     /  

CVE-2021-24033 Metadata Quick Info

CVE Published: 09/03/2021 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: facebook | Vendor: Facebook | Product: react-dev-utils
Status : PUBLISHED

---

CVE-2021-24033 Description

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you\'re consuming it from react-scripts then this issue does not affect you.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-78
CWE Name: Improper Neutralization of Special Elements used in an OS Command (CWE-78)
Source: Facebook

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).