CVE-2018-1000006 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=1.7.0 <1.7.11 || >=1.6.0 <1.6.16 || >=1.8.0 <1.8.2-beta.4

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.9209 pctl0.99697

Details

Remote Code Execution in electron Affected versions of `electron` may be susceptible to a remote code execution flaw when certain conditions are met: 1. The electron application is running on Windows. 2. The electron application registers as the default handler for a protocol, such as `nodeapp://`. This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron. MacOS and Linux are not vulnerable. ## Recommendation Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance: If for some reason you are unable to upgrade your Electron version, you can append `--` as the last argument when calling `app.setAsDefaultProtocolClient`, which prevents Chromium from parsing further options. The double dash `--` signifies the end of command options, after which only positional parameters are accepted. ``` app.setAsDefaultProtocolClient(protocol, process.execPath, [ '--your-switches-here', '--' ]) ```

Metadata

Created: 2018-01-23T03:57:44Z
Modified: 2021-06-10T19:55:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-w222-53c6-c86p/GHSA-w222-53c6-c86p.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-w222-53c6-c86p
Finding: F004
Auto approve: 1