react-dev-utils up to 1.0.3/2.0.1/3.1.1/4.2.1/5.0.3 on Windows Webserver Network Request cross-site request forgery
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, has been found in react-dev-utils up to 1.0.3/2.0.1/3.1.1/4.2.1/5.0.3 on Windows (JavaScript Library). This issue affects some unknown processing of the component Webserver. The manipulation as part of a Network Request leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. The summary by CVE is:
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
The bug was discovered 08/22/2018. The weakness was presented 12/31/2018 (Website). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2018-6342 since 01/26/2018. Attacking locally is a requirement. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.
The vulnerability was handled as a non-public zero-day exploit for at least 131 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 91519 (React-Dev-Utils Remote Code Execution Vulnerability).
Upgrading to version 1.0.4, 2.0.2, 3.1.2, 4.2.2 or 5.0.2 eliminates this vulnerability.
Product
Type
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.4VulDB Meta Temp Score: 6.3
VulDB Base Score: 4.0
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: react-dev-utils 1.0.4/2.0.2/3.1.2/4.2.2/5.0.2
Patch: github.com
Timeline
01/26/2018 🔍08/22/2018 🔍
12/31/2018 🔍
12/31/2018 🔍
01/01/2019 🔍
06/22/2023 🔍
Sources
Advisory: github.comStatus: Not defined
CVE: CVE-2018-6342 (🔍)
Entry
Created: 01/01/2019 12:02Updated: 06/22/2023 15:36
Changes: 01/01/2019 12:02 (62), 04/25/2020 16:31 (1), 06/22/2023 15:36 (5)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.