Описание
SSL Validation Defaults to False in electron-packager
Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.
This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.
This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.
Recommendation
- Update to version 7.0.0 or later.
- Delete the
electron-downloadcache folder, which is by default located at~/.electron.
Пакеты
electron-packager
>= 5.2.1, < 7.0.0
7.0.0
Связанные уязвимости
electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow an attacker to perform a man in the middle attack.