CVE-2018-6342
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
react-dev-utils en Windows permite a desarrolladores ejecutar un servidor web local que acepta varios comandos, incluyendo un comando para iniciar un editor. Las entradas a dicho comando no fueron sanadas debidamente, permitiendo a un atacante que puede enviar una petición de red al servidor (o mediante CSRF o bajo petición directa) para ejecutar comandos arbitrarios en el sistema objetivo. Este problema afecta a múltiples gamas: Las versiones 1.x.x anteriores a la 1.0.4, las 2.x.x anteriores a la 2.0.2, las 3.x.x anteriores a la 3.1.2, las 4.x.x anteriores a la 4.2.2 y las 5.x.x anteriores a la 5.0.2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-01-26 CVE Reserved
- 2018-07-26 First Exploit
- 2018-12-31 CVE Published
- 2024-05-23 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/facebook/create-react-app/pull/4866 | Third Party Advisory | |
| https://github.com/facebook/create-react-app/releases/tag/v1.1.5 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ossf-cve-benchmark/CVE-2018-6342 | 2018-07-26 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Facebook Search vendor "Facebook" | React-dev-utils Search vendor "Facebook" for product "React-dev-utils" | >= 1.0.0 < 1.0.4 Search vendor "Facebook" for product "React-dev-utils" and version " >= 1.0.0 < 1.0.4" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Facebook Search vendor "Facebook" | React-dev-utils Search vendor "Facebook" for product "React-dev-utils" | >= 2.0.0 < 2.0.2 Search vendor "Facebook" for product "React-dev-utils" and version " >= 2.0.0 < 2.0.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Facebook Search vendor "Facebook" | React-dev-utils Search vendor "Facebook" for product "React-dev-utils" | >= 3.0.0 < 3.1.2 Search vendor "Facebook" for product "React-dev-utils" and version " >= 3.0.0 < 3.1.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Facebook Search vendor "Facebook" | React-dev-utils Search vendor "Facebook" for product "React-dev-utils" | >= 4.0.0 < 4.2.2 Search vendor "Facebook" for product "React-dev-utils" and version " >= 4.0.0 < 4.2.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Facebook Search vendor "Facebook" | React-dev-utils Search vendor "Facebook" for product "React-dev-utils" | >= 5.0.0 < 5.0.2 Search vendor "Facebook" for product "React-dev-utils" and version " >= 5.0.0 < 5.0.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|