CVE-2021-4438 : A vulnerability, which was classified as critical, has been found in kyivstartea

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the file android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.

Published 2024-04-07 09:15:08

Updated 2025-03-21 11:20:19

Source VulDB

View at NVD, CVE.org

Products affected by CVE-2021-4438

Kyivstar » React Native Sms User Consent
Versions up to, including, (<=) 1.1.4
cpe:2.3:a:kyivstar:react_native_sms_user_consent:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-4438

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-4438

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:L/AC:L/Au:S/C:P/I:P/A:P	3.1	6.4	VulDB	2024-04-07
Access Vector: Local Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	1.8	3.4	VulDB	2024-04-07
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	1.8	3.4	NIST	2025-03-21
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2021-4438

CWE-926 Improper Export of Android Application Components

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Assigned by: cna@vuldb.com (Secondary)

References for CVE-2021-4438

https://vuldb.com/?ctiid.259508

CVE-2021-4438: kyivstarteam react-native-sms-user-consent SmsUserConsentModule.kt registerReceiver improper export of android application components
Third Party Advisory;VDB Entry
https://vuldb.com/?id.259508

Third Party Advisory;VDB Entry
https://github.com/kyivstarteam/react-native-sms-user-consent/releases/tag/1.1.5

Release 1.1.5 · kyivstarteam/react-native-sms-user-consent · GitHub
Release Notes
https://github.com/kyivstarteam/react-native-sms-user-consent/commit/5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7

Remediation for Intent Redirection Vulnerability (#4) · kyivstarteam/react-native-sms-user-consent@5423dcb · GitHub
Patch
https://github.com/kyivstarteam/react-native-sms-user-consent/pull/4

Remediation for Intent Redirection Vulnerability by simonasdev · Pull Request #4 · kyivstarteam/react-native-sms-user-consent · GitHub
Patch

Jump to

Vulnerability Details : CVE-2021-4438

Products affected by CVE-2021-4438

Exploit prediction scoring system (EPSS) score for CVE-2021-4438

CVSS scores for CVE-2021-4438

CWE ids for CVE-2021-4438

References for CVE-2021-4438