CVE-2018-6342
published 2018-12-31CVE-2018-6342: react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.84%
84.9th percentile
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react-dev-utils | — | — | |
| react-dev-utils | — | — | |
| react-dev-utils | — | — | |
| react-dev-utils | — | — | |
| react-dev-utils | — | — | |
| react-dev-utils | >= 1.0.0 < unspecified | unspecified | |
| react-dev-utils | >= 1.0.0 < 1.0.4 | 1.0.4 | |
| react-dev-utils | >= 1.0.0 < 1.0.4 | 1.0.4 | |
| react-dev-utils | >= 2.0.0 < unspecified | unspecified | |
| react-dev-utils | >= 2.0.0 < 2.0.2 | 2.0.2 | |
| react-dev-utils | >= 2.0.0 < 2.0.2 | 2.0.2 | |
| react-dev-utils | >= 3.0.0 < unspecified | unspecified | |
| react-dev-utils | >= 3.0.0 < 3.1.2 | 3.1.2 | |
| react-dev-utils | >= 3.0.0 < 3.1.2 | 3.1.2 | |
| react-dev-utils | >= 4.0.0 < unspecified | unspecified | |
| react-dev-utils | >= 4.0.0 < 4.2.2 | 4.2.2 | |
| react-dev-utils | >= 4.0.0 < 4.2.2 | 4.2.2 | |
| react-dev-utils | >= 5.0.0 < unspecified | unspecified | |
| react-dev-utils | >= 5.0.0 < 5.0.2 | 5.0.2 | |
| react-dev-utils | >= 5.0.0 < 5.0.2 | 5.0.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
react-dev-utils on Windows vulnerable to Remote Code Execution
osv·2019-01-04
CVE-2018-6342 [HIGH] react-dev-utils on Windows vulnerable to Remote Code Execution
react-dev-utils on Windows vulnerable to Remote Code Execution
`react-dev-utils` on Windows is vulnerable to remote code execution.
## Recommendation
Update to one of the following versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c
GHSA
react-dev-utils on Windows vulnerable to Remote Code Execution
ghsa·2019-01-04
CVE-2018-6342 [HIGH] CWE-78 react-dev-utils on Windows vulnerable to Remote Code Execution
react-dev-utils on Windows vulnerable to Remote Code Execution
`react-dev-utils` on Windows is vulnerable to remote code execution.
## Recommendation
Update to one of the following versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-12-31
Published