CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-24033

MEDIUM
5.6
CVSS Severity Score
EPSS Score0.1630%
EPSS Percentile2.25th
Published2021年3月9日
Last Modified2024年11月21日

Vulnerability Description

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Affected Platforms (CPE)

📦
Facebook

React Dev Utils

< 11.0.4

References & Advisories

🔗 https://github.com/facebook/create-react-app/pull/10644
🔗 https://www.facebook.com/security/advisories/cve-2021-24033
🔗 https://github.com/facebook/create-react-app/pull/10644
🔗 https://www.facebook.com/security/advisories/cve-2021-24033

相关漏洞威胁

CVE-2018-63429.8

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launc...

CVE-2021-2732910.0

Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.

CVE-2021-4155610.0

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to ...

CVE-2021-138810.0

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could a...