Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8xwg-wv7v-4vqp

Опубликовано: 26 мар. 2018
Источник: github
Github: Прошло ревью
CVSS3: 8.1

Описание

Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.

For the application to be impacted by this vulnerability it must meet all of these conditions

  • Runs on Electron 1.7, 1.8, or a 2.0.0-beta
  • Allows execution of arbitrary remote code
  • Disables Node.js integration
  • Does not explicitly declare webviewTag: false in its webPreferences
  • Does not enable the nativeWindowOption option
  • Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Recommendation

Update to electron version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.

If you are unable to update your Electron version can mitigate the vulnerability with the following code.

app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) }) // and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) })

Ссылки

Пакеты

Наименование

electron

npm
Затронутые версииВерсия исправления

>= 1.7.0, < 1.7.13

1.7.13

Наименование

electron

npm
Затронутые версииВерсия исправления

>= 1.8.0, < 1.8.4

1.8.4

Наименование

electron

npm
Затронутые версииВерсия исправления

>= 2.0.0-beta.1, < 2.0.0-beta.5

2.0.0-beta.5

EPSS

Процентиль: 80%
0.01407
Низкий

8.1 High

CVSS3

CVE ID

CVE-2018-1000136

Дефекты

CWE-20

Связанные уязвимости

redhat логотип

CVE-2018-1000136

CVSS3: 8.1
redhat
почти 8 лет назад

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

nvd логотип

CVE-2018-1000136

CVSS3: 8.1
nvd
почти 8 лет назад

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

debian логотип

CVE-2018-1000136

CVSS3: 8.1
debian
почти 8 лет назад

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0 ...

EPSS

Процентиль: 80%
0.01407
Низкий

8.1 High

CVSS3

CVE ID

CVE-2018-1000136

Дефекты

CWE-20