CVE-2022-29257 – Electron's AutoUpdater module fails to validate certain nested components of the bundle
https://notcve.org/view.php?id=CVE-2022-29257
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds. • https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97 • CWE-20: Improper Input Validation •
CVE-2022-29247 – Exposure of Resource to Wrong Sphere in Electron
https://notcve.org/view.php?id=CVE-2022-29247
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. The `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs, which include `ipcRenderer`. • https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2022-21718 – Renderers can obtain access to random bluetooth device without permission in Electron
https://notcve.org/view.php?id=CVE-2022-21718
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. Electron es un marco de trabajo para escribir aplicaciones de escritorio multiplataforma usando JavaScript, HTML y CSS. • https://github.com/electron/electron/pull/32178 https://github.com/electron/electron/pull/32240 https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •
CVE-2021-39184 – Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
https://notcve.org/view.php?id=CVE-2021-39184
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. • https://github.com/electron/electron/pull/30728 https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •
CVE-2020-26272 – IPC messages misrouted in Electron
https://notcve.org/view.php?id=CVE-2020-26272
The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue. • https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c https://github.com/electron/electron/pull/26875 https://github.com/electron/electron/releases/tag/v9.4.0 https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9 https://www.electronjs.org/releases/stable?version=9#9.4.0 • CWE-668: Exposure of Resource to Wrong Sphere •