Lucene search

[email protected]CVE-2023-39956

HistorySep 06, 2023 - 9:15 p.m.

CVE-2023-39956

2023-09-0621:15:13

CWE-94

[email protected]

web.nvd.nist.gov

407

electron

framework

javascript

html

css

cross-platform

desktop applications

cve-2023-39956

security vulnerability

patch

nvd

6.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:26.0.0-beta.13, 25.4.1, 24.7.1, 23.3.13, and 22.3.19. There are no app side workarounds, users must update to a patched version of Electron.

Affected configurations

Vulners

NVD

Node

electronelectronRange<22.3.19

electronelectronRange23.0.0–23.3.13

electronelectronRange24.0.0–24.7.1

electronelectronRange25.0.0–25.4.1

electronelectronRange26.0.0-beta.1–26.0.0-beta.13

VendorProductVersionCPE
electronelectron*cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*
electronelectron*cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*
electronelectron*cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*
electronelectron*cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*
electronelectron*cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
electron	electron	*	cpe:2.3:a:electron:electron::::::::
electron	electron	*	cpe:2.3:a:electron:electron::::::::
electron	electron	*	cpe:2.3:a:electron:electron::::::::
electron	electron	*	cpe:2.3:a:electron:electron::::::::
electron	electron	*	cpe:2.3:a:electron:electron::::::::

CNA Affected

[
  {
    "vendor": "electron",
    "product": "electron",
    "versions": [
      {
        "version": "< 22.3.19",
        "status": "affected"
      },
      {
        "version": ">= 23.0.0, < 23.3.13",
        "status": "affected"
      },
      {
        "version": ">= 24.0.0, < 24.7.1",
        "status": "affected"
      },
      {
        "version": ">= 25.0.0, < 25.4.1",
        "status": "affected"
      },
      {
        "version": ">= 26.0.0-beta.1, < 26.0.0-beta.13",
        "status": "affected"
      }
    ]
  }
]