5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4438

GHSA ID

GHSA-r956-2553-vvhr

EPSS Score

0.06514%

CWE

CWE-926

Published

4/7/2024

Updated

4/8/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-4438

CVE-2021-4438: React Native Sms User Consent Intent Redirection Vulnerability

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the file android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4438

GHSA ID

GHSA-r956-2553-vvhr

EPSS Score

0.06514%

CWE

CWE-926

Published

4/7/2024

Updated

4/8/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@kyivstarteam/react-native-sms-user-consent	npm	< 1.1.5	1.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the registerReceiver function in SmsUserConsentModule.kt registering a receiver without proper permission constraints. The patch adds SmsRetriever.SEND_PERMISSION to registerReceiver's parameters, confirming the vulnerability was caused by missing permission enforcement. CWE-926 directly maps to this unprotected component export scenario. The commit diff and advisory both explicitly reference this function as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s *riti**l, **s ***n *oun* in kyivst*rt**m r***t-n*tiv*-sms-us*r-*ons*nt up to *.*.* on *n*roi*. *****t** *y t*is issu* is t** *un*tion `r**ist*rR***iv*r` o* t** *il* `*n*roi*/sr*/m*in/j*v*/u*/kyivst*r/r***tn*ti

Reasoning

T** vuln*r**ility st*ms *rom t** `r**ist*rR***iv*r` *un*tion in `SmsUs*r*ons*ntMo*ul*.kt` r**ist*rin* * r***iv*r wit*out prop*r p*rmission *onstr*ints. T** p*t** ***s `SmsR*tri*v*r.S*N*_P*RMISSION` to `r**ist*rR***iv*r`'s p*r*m*t*rs, *on*irmin* t** v

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-4438: React Native Sms User Consent Intent Redirection Vulnerability

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI