CVE-2023-49314

Опубликовано: 28 нояб. 2023

Источник: nvd

CVSS3: 7.8

EPSS Средний

Описание

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

Ссылки

https://asana.com/pt/download
Product
https://github.com/electron/fuses
Product
https://github.com/louiselalanne/CVE-2023-49314
Third Party Advisory
https://github.com/r3ggi/electroniz3r
Product
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses
Technical Description
https://asana.com/pt/download
Product
https://github.com/electron/fuses
Product
https://github.com/louiselalanne/CVE-2023-49314
Third Party Advisory
https://github.com/r3ggi/electroniz3r
Product
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses
Technical Description

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:asana:desktop:2.1.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

EPSS

Процентиль: 96%

0.21612

Средний

7.8 High

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-3ghj-wv9w-7vp9

CVSS3: 9.8

github

около 2 лет назад