CVE-2023-29198

Context isolation bypass via nested unserializable return value in Electron

Severity Score

8.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.

Electron es un framework que le permite escribir aplicaciones de escritorio multiplataforma utilizando JavaScript, HTML y CSS. Las aplicaciones de Electron que usan `contextIsolation` y `contextBridge` se ven afectadas. Se trata de una omisión de aislamiento de contexto, lo que significa que el código que se ejecuta en el contexto mundial principal en el renderizador puede acceder al contexto aislado de Electron y realizar acciones privilegiadas. Este problema solo se puede explotar si una API expuesta al mundo principal a través de `contextBridge` puede devolver un objeto o matriz que contenga un objeto javascript que no se pueda serializar, por ejemplo, un contexto de representación de lienzo. Esto normalmente daría como resultado que se lanzara una excepción "Error: el objeto no se pudo clonar". El workaround del lado de la aplicación es garantizar que tal caso no sea posible. Asegúrese de que todos los valores devueltos por una función expuesta a través del puente de contexto sean compatibles. Este problema se solucionó en las versiones `25.0.0-alpha.2`, `24.0.1`, `23.2.3` y `22.3.6`.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-04-03 CVE Reserved
2023-09-06 CVE Published
2024-09-12 EPSS Updated
2024-09-26 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-754: Improper Check for Unusual or Exceptional Conditions

CAPEC

References (2)

URL	Tag	Source
https://www.electronjs.org/docs/latest/api/context-bridge#parameter--error--return-type-support	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7	2023-09-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				< 22.3.6 Search vendor "Electronjs" for product "Electron" and version " < 22.3.6"		node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				>= 23.0.0 < 23.2.3 Search vendor "Electronjs" for product "Electron" and version " >= 23.0.0 < 23.2.3"		node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha1, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha2, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha3, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha4, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha5, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha6, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		alpha7, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta1, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta2, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta3, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta4, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta5, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta6, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				24.0.0 Search vendor "Electronjs" for product "Electron" and version "24.0.0"		beta7, node.js		Affected
Electronjs Search vendor "Electronjs"		Electron Search vendor "Electronjs" for product "Electron"				25.0.0 Search vendor "Electronjs" for product "Electron" and version "25.0.0"		alpha1, node.js		Affected