Release CVE-2021-24033 for react-dev-utils

2025-07-29 05:56:59 +00:00 · 2021-03-08 19:22:48 -05:00 · 2021-03-08 19:22:48 -05:00 · d69ba6f409
commit d69ba6f409
parent 4644dfe788
1 changed files with 72 additions and 17 deletions
--- a/2021/24xxx/CVE-2021-24033.json
+++ b/2021/24xxx/CVE-2021-24033.json
@ -1,18 +1,73 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2021-24033",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
-    }
-}
+	"CVE_data_meta": {
+		"ASSIGNER": "cve-assign@fb.com",
+		"DATE_ASSIGNED": "2021-03-04",
+		"ID": "CVE-2021-24033",
+		"STATE": "PUBLIC"
+	},
+	"affects": {
+		"vendor": {
+			"vendor_data": [
+				{
+					"vendor_name": "Facebook",
+					"product": {
+						"product_data": [
+							{
+								"product_name": "react-dev-utils",
+								"version": {
+									"version_data": [
+										{
+											"version_affected": "!>=",
+											"version_value": "11.0.4 "
+										},
+										{
+											"version_affected": "<",
+											"version_value": "11.0.4"
+										}
+									]
+								}
+							}
+						]
+					}
+				}
+			]
+		}
+	},
+	"data_format": "MITRE",
+	"data_type": "CVE",
+	"data_version": "4.0",
+	"description": {
+		"description_data": [
+			{
+				"lang": "eng",
+				"value": "react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you."
+			}
+		]
+	},
+	"problemtype": {
+		"problemtype_data": [
+			{
+				"description": [
+					{
+						"lang": "eng",
+						"value": "Improper Neutralization of Special Elements used in an OS Command (CWE-78)"
+					}
+				]
+			}
+		]
+	},
+	"references": {
+		"reference_data": [
+			{
+				"refsource": "MISC",
+				"name": "https://github.com/facebook/create-react-app/pull/10644",
+				"url": "https://github.com/facebook/create-react-app/pull/10644"
+			},
+			{
+				"refsource": "CONFIRM",
+				"name": "https://www.facebook.com/security/advisories/cve-2021-24033",
+				"url": "https://www.facebook.com/security/advisories/cve-2021-24033"
+			}
+		]
+	}
+}