CVE-2021-39184 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=10.1.0 <11.5.0 || >=12.0.0 <12.1.0 || >=13.0.0 <13.3.0 || >=14.0.0 <=15.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00366 pctl0.57806

Details

Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API ### Impact This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. All current stable versions of Electron are affected. ### Patches This was fixed with #30728, and the following Electron versions contain the fix: - 15.0.0-alpha.10 - 14.0.0 - 13.3.0 - 12.1.0 - 11.5.0 ### Workarounds If your app enables `contextIsolation`, this vulnerability is significantly more difficult for an attacker to exploit. Further, if your app does not depend on the `createThumbnailFromPath` API, then you can simply disable the functionality. In the main process, before the 'ready' event: ```js delete require('electron').nativeImage.createThumbnailFromPath ``` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

Metadata

Created: 2021-10-12T21:59:13Z
Modified: 2022-08-11T16:56:02Z
Source: MANUAL
CWE IDs: ["CWE-668", "CWE-862"]
Alternative ID: GHSA-mpjm-v997-c4h4
Finding: F039
Auto approve: 1