CVE-2022-29247 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=0 <15.5.5 || >=16.0.0-beta.1 <16.2.6 || >=17.0.0-beta.1 <17.2.0 || >=18.0.0-beta.1 <18.0.0-beta.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00388 pctl0.59128

Details

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled ### Impact This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. Please note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting. If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`). If your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled. ### Patches This has been patched and the following Electron versions contain the fix: * `18.0.0-beta.6` * `17.2.0` * `16.2.6` * `15.5.5` ### Workarounds Ensure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages). ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

Metadata

Created: 2022-06-16T23:14:33Z
Modified: 2022-06-16T23:14:33Z
Source: MANUAL
CWE IDs: ["CWE-668"]
Alternative ID: GHSA-mq8j-3h7h-p8g7
Finding: F017
Auto approve: 1