CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
31.3%
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn’t possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect')
event, for all WebContents as a workaround.
Vendor | Product | Version | CPE |
---|---|---|---|
microsoft | windows | - | cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
electronjs | electron | * | cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:-:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha1:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha2:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha3:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha4:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha5:*:*:*:node.js:*:* |
electronjs | electron | 21.0.0 | cpe:2.3:a:electronjs:electron:21.0.0:alpha6:*:*:*:node.js:*:* |