CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.1%
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
Update to electron
version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version can mitigate the vulnerability with the following code.
app.on('web-contents-created', (event, win) => {
win.on('new-window', (event, newURL, frameName, disposition,
options, additionalFeatures) => {
if (!options.webPreferences) options.webPreferences = {};
options.webPreferences.nodeIntegration = false;
options.webPreferences.nodeIntegrationInWorker = false;
options.webPreferences.webviewTag = false;
delete options.webPreferences.preload;
})
})
// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
win.on('will-attach-webview', (event, webPreferences, params) => {
event.preventDefault();
})
})
electronjs.org/blog/webview-fix
github.com/advisories/GHSA-8xwg-wv7v-4vqp
github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
github.com/electron/electron/pull/12271
github.com/electron/electron/pull/12292
github.com/electron/electron/pull/12294
nvd.nist.gov/vuln/detail/CVE-2018-1000136
www.electronjs.org/blog/webview-fix
www.npmjs.com/advisories/574
www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.1%