Miggo Logo

CVE-2021-4438: React Native Sms User Consent Intent Redirection Vulnerability

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.06514%
Published
4/7/2024
Updated
4/8/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@kyivstarteam/react-native-sms-user-consentnpm< 1.1.51.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the registerReceiver function in SmsUserConsentModule.kt registering a receiver without proper permission constraints. The patch adds SmsRetriever.SEND_PERMISSION to registerReceiver's parameters, confirming the vulnerability was caused by missing permission enforcement. CWE-926 directly maps to this unprotected component export scenario. The commit diff and advisory both explicitly reference this function as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s *riti**l, **s ***n *oun* in kyivst*rt**m r***t-n*tiv*-sms-us*r-*ons*nt up to *.*.* on *n*roi*. *****t** *y t*is issu* is t** *un*tion `r**ist*rR***iv*r` o* t** *il* `*n*roi*/sr*/m*in/j*v*/u*/kyivst*r/r***tn*ti

Reasoning

T** vuln*r**ility st*ms *rom t** `r**ist*rR***iv*r` *un*tion in `SmsUs*r*ons*ntMo*ul*.kt` r**ist*rin* * r***iv*r wit*out prop*r p*rmission *onstr*ints. T** p*t** ***s `SmsR*tri*v*r.S*N*_P*RMISSION` to `r**ist*rR***iv*r`'s p*r*m*t*rs, *on*irmin* t** v