CVE-2024-39698

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39698
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39698.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-39698
Aliases
Published
2024-07-09T17:50:28.169Z
Modified
2025-11-20T12:27:55.147715Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
Details

electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above. This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.

Database specific 
{
    "cwe_ids": [
        "CWE-154"
    ]
}
References

Affected packages

Git / github.com/electron-userland/electron-builder

Affected ranges

Type
GIT
Repo
https://github.com/electron-userland/electron-builder
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2b80b01c4e9e5e7693460adda789cf270fbefe2b

Affected versions

22.*

22.11.10

@electron-builder/test@0.*

@electron-builder/test@0.0.0

app-builder-lib@22.*

app-builder-lib@22.14.13

app-builder-lib@23.*

app-builder-lib@23.0.0-alpha.0

builder-util-runtime@8.*

builder-util-runtime@8.9.2

builder-util-runtime@9.*

builder-util-runtime@9.0.0-alpha.0

builder-util@22.*

builder-util@22.14.13

builder-util@23.*

builder-util@23.0.0-alpha.0

dmg-builder@22.*

dmg-builder@22.14.13

dmg-builder@23.*

dmg-builder@23.0.0-alpha.0

docker@23.*

docker@23.0.0-alpha.0
docker@23.0.5
docker@23.0.8
docker@23.1.0
docker@23.2.0
docker@23.5.1
docker@23.6.0

docker@24.*

docker@24.0.0
docker@24.6.1
docker@24.6.2
docker@24.6.3
docker@24.8.0
docker@24.9.1

electron-builder-squirrel-windows@22.*

electron-builder-squirrel-windows@22.14.13

electron-builder-squirrel-windows@23.*

electron-builder-squirrel-windows@23.0.0-alpha.0

electron-builder@22.*

electron-builder@22.14.13

electron-builder@23.*

electron-builder@23.0.0-alpha.0

electron-forge-maker-appimage@22.*

electron-forge-maker-appimage@22.14.13

electron-forge-maker-appimage@23.*

electron-forge-maker-appimage@23.0.0-alpha.0

electron-forge-maker-nsis-web@22.*

electron-forge-maker-nsis-web@22.14.13

electron-forge-maker-nsis-web@23.*

electron-forge-maker-nsis-web@23.0.0-alpha.0

electron-forge-maker-nsis@22.*

electron-forge-maker-nsis@22.14.13

electron-forge-maker-nsis@23.*

electron-forge-maker-nsis@23.0.0-alpha.0

electron-forge-maker-snap@22.*

electron-forge-maker-snap@22.14.13

electron-forge-maker-snap@23.*

electron-forge-maker-snap@23.0.0-alpha.0

electron-publish@22.*

electron-publish@22.14.13

electron-publish@23.*

electron-publish@23.0.0-alpha.0

electron-updater-v3.*

electron-updater-v3.1.6
electron-updater-v3.1.7
electron-updater-v3.2.1
electron-updater-v3.2.2
electron-updater-v3.2.3

electron-updater-v4.*

electron-updater-v4.0.0
electron-updater-v4.0.1
electron-updater-v4.0.14
electron-updater-v4.0.2
electron-updater-v4.0.3
electron-updater-v4.0.4
electron-updater-v4.0.5
electron-updater-v4.0.6
electron-updater-v4.0.7
electron-updater-v4.1.0
electron-updater-v4.1.1
electron-updater-v4.1.2

electron-updater@4.*

electron-updater@4.6.5

electron-updater@5.*

electron-updater@5.0.0
electron-updater@5.0.0-alpha.0
electron-updater@5.0.0-alpha.1
electron-updater@5.0.0-alpha.2
electron-updater@5.0.0-alpha.3
electron-updater@5.0.0-alpha.4
electron-updater@5.0.1
electron-updater@5.0.2
electron-updater@5.0.3
electron-updater@5.0.4
electron-updater@5.0.5
electron-updater@5.0.6
electron-updater@5.1.0
electron-updater@5.2.0
electron-updater@5.2.1
electron-updater@5.2.2
electron-updater@5.2.3
electron-updater@5.2.4
electron-updater@5.3.0

electron-updater@6.*

electron-updater@6.0.0
electron-updater@6.0.0-alpha.0
electron-updater@6.0.0-alpha.1
electron-updater@6.0.0-alpha.2
electron-updater@6.0.0-alpha.3
electron-updater@6.0.0-alpha.4
electron-updater@6.0.0-alpha.5
electron-updater@6.0.0-alpha.6
electron-updater@6.0.0-alpha.7
electron-updater@6.0.0-alpha.8
electron-updater@6.0.0-alpha.9
electron-updater@6.0.1
electron-updater@6.0.2
electron-updater@6.0.3
electron-updater@6.0.4
electron-updater@6.1.0
electron-updater@6.1.1
electron-updater@6.1.2
electron-updater@6.1.3
electron-updater@6.1.4
electron-updater@6.1.5
electron-updater@6.1.6
electron-updater@6.1.7
electron-updater@6.1.8
electron-updater@6.1.9
electron-updater@6.2.0
electron-updater@6.2.1
electron-updater@6.3.0-alpha.0
electron-updater@6.3.0-alpha.1
electron-updater@6.3.0-alpha.2
electron-updater@6.3.0-alpha.3
electron-updater@6.3.0-alpha.4
electron-updater@6.3.0-alpha.5

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1

v10.*

v10.0.0
v10.1.0
v10.10.0
v10.11.0
v10.12.0
v10.13.0
v10.13.1
v10.14.0
v10.15.0
v10.15.1
v10.15.2
v10.16.0
v10.17.0
v10.17.2
v10.2.0
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.5.0
v10.6.0
v10.6.1
v10.7.0
v10.7.1
v10.8.0
v10.8.1
v10.9.0
v10.9.1
v10.9.2
v10.9.3

v11.*

v11.0.0
v11.1.0
v11.1.1
v11.2.0
v11.2.1
v11.2.4
v11.2.5
v11.3.0
v11.4.0
v11.4.1
v11.4.3
v11.4.4
v11.5.0
v11.5.1
v11.5.2
v11.6.0
v11.6.1
v11.7.0

v12.*

v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.1.0
v12.2.0
v12.3.0
v12.3.1

v13.*

v13.0.0
v13.1.0
v13.10.0
v13.10.1
v13.11.0
v13.11.1
v13.2.0
v13.3.1
v13.30
v13.4.0
v13.5.0
v13.6.0
v13.7.0
v13.8.0
v13.8.1
v13.8.2
v13.9.0

v14.*

v14.0.0
v14.0.1
v14.1.0
v14.1.1
v14.2.0
v14.3.0
v14.4.0
v14.4.1
v14.4.2
v14.5.0
v14.5.1
v14.5.2

v15.*

v15.0.0
v15.0.1
v15.1.0
v15.1.1
v15.2.0
v15.3.0
v15.4.0
v15.4.1
v15.4.2
v15.4.3
v15.5.0
v15.6.0
v15.6.1
v15.6.3

v16.*

v16.0.0
v16.0.1
v16.1.0
v16.2.0
v16.2.1
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.7.1
v16.8.0
v16.8.1
v16.8.2
v16.8.3
v16.8.4

v17.*

v17.0.0
v17.0.1
v17.0.3
v17.1.0
v17.1.1
v17.1.2
v17.10.0
v17.2.0
v17.3.0
v17.3.1
v17.4.0
v17.5.0
v17.6.0
v17.7.0
v17.8.0
v17.9.0

v18.*

v18.0.0
v18.0.1
v18.1.0
v18.1.1
v18.2.1
v18.3.0
v18.3.5
v18.4.0
v18.5.0
v18.5.1
v18.6.0
v18.6.2
v18.7.0
v18.8.0

v19.*

v19.0.0
v19.0.2
v19.1.0
v19.10.0
v19.11.0
v19.11.1
v19.12.0
v19.13.0
v19.14.0
v19.15.0
v19.15.1
v19.15.5
v19.16.0
v19.16.1
v19.16.2
v19.16.3
v19.17.0
v19.18.0
v19.18.1
v19.19.1
v19.2.2
v19.2.3
v19.2.7
v19.20.0
v19.20.1
v19.21.0
v19.22.0
v19.22.1
v19.22.2
v19.23.0
v19.24.0
v19.24.1
v19.24.2
v19.24.4
v19.25.0
v19.25.1
v19.25.2
v19.26.0
v19.26.2
v19.27.0
v19.27.1
v19.27.3
v19.28.0
v19.28.1
v19.28.4
v19.29.0
v19.29.1
v19.29.2
v19.3.0
v19.30.0
v19.30.1
v19.30.2
v19.30.3
v19.30.4
v19.31.2
v19.32.0
v19.32.1
v19.32.2
v19.33.0
v19.34.0
v19.34.2
v19.34.3
v19.35.0
v19.35.1
v19.36.0
v19.36.1
v19.37.0
v19.37.1
v19.37.2
v19.38.0
v19.39.0
v19.4.0
v19.4.1
v19.4.2
v19.40.0
v19.41.0
v19.42.0
v19.42.2
v19.43.0
v19.43.1
v19.43.2
v19.43.3
v19.43.4
v19.44.0
v19.45.0
v19.45.1
v19.45.2
v19.45.5
v19.46.1
v19.46.2
v19.46.3
v19.46.4
v19.46.9
v19.47.0
v19.47.1
v19.48.0
v19.48.2
v19.48.3
v19.49.0
v19.49.2
v19.49.3
v19.49.4
v19.5.0
v19.5.1
v19.5.3
v19.5.4
v19.50.0
v19.51.0
v19.52.0
v19.52.1
v19.53.0
v19.53.1
v19.53.3
v19.53.4
v19.53.5
v19.53.6
v19.53.7
v19.54.0
v19.55.0
v19.55.1
v19.55.2
v19.55.3
v19.56.0
v19.56.1
v19.56.2
v19.6.0
v19.6.1
v19.6.2
v19.6.3
v19.7.0
v19.7.2
v19.7.3
v19.8.0
v19.9.0
v19.9.1

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.11.0
v2.2.0
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5

v20.*

v20.0.0
v20.0.1
v20.0.2
v20.0.3
v20.0.4
v20.0.5
v20.0.6
v20.0.7
v20.0.8
v20.0.9
v20.1.0
v20.1.1
v20.10.0
v20.11.0
v20.11.1
v20.12.0
v20.13.0
v20.13.1
v20.13.2
v20.13.3
v20.13.4
v20.13.5
v20.14.1
v20.14.2
v20.14.3
v20.14.6
v20.14.7
v20.15.0
v20.15.2
v20.15.3
v20.16.0
v20.16.1
v20.16.4
v20.17.0
v20.17.1
v20.17.2
v20.18.0
v20.19.0
v20.19.1
v20.19.2
v20.2.0
v20.2.1
v20.20.0
v20.20.3
v20.20.4
v20.21.0
v20.21.2
v20.22.0
v20.22.1
v20.23.0
v20.23.1
v20.24.0
v20.24.1
v20.24.2
v20.24.3
v20.24.5
v20.25.0
v20.26.0
v20.26.1
v20.27.0
v20.27.1
v20.28.1
v20.28.2
v20.28.3
v20.28.4
v20.29.0
v20.29.1
v20.3.0
v20.3.1
v20.30.0
v20.31.0
v20.31.1
v20.31.2
v20.31.3
v20.32.0
v20.33.0
v20.33.1
v20.33.2
v20.34.0
v20.35.0
v20.36.0
v20.36.1
v20.36.2
v20.37.0
v20.38.0
v20.38.1
v20.38.2
v20.38.3
v20.38.4
v20.38.5
v20.39.0
v20.4.0
v20.4.1
v20.40.0
v20.40.2
v20.41.0
v20.42.0
v20.43.0
v20.44.0
v20.44.1
v20.44.2
v20.44.3
v20.44.4
v20.5.0
v20.5.1
v20.6.0
v20.6.1
v20.7.1
v20.8.0
v20.8.1
v20.8.2
v20.9.0
v20.9.2

v21.*

v21.0.1
v21.0.10
v21.0.12
v21.0.14
v21.0.15
v21.0.2
v21.0.3
v21.0.4
v21.0.5
v21.0.6
v21.0.8
v21.0.9
v21.1.0
v21.1.2
v21.1.3
v21.1.5
v21.2.0

v22.*

v22.0.0
v22.1.0
v22.10.0
v22.10.2
v22.10.3
v22.10.4
v22.10.5
v22.11.1
v22.11.11
v22.11.2
v22.11.3
v22.11.4
v22.11.5
v22.11.7
v22.11.8
v22.11.9
v22.12.0
v22.12.1
v22.13.0
v22.13.1
v22.14.10
v22.14.11
v22.14.12
v22.14.13
v22.14.2
v22.14.3
v22.14.4
v22.14.5
v22.14.6
v22.14.7
v22.14.8
v22.14.9
v22.2.0
v22.3.0
v22.3.1
v22.3.2
v22.3.4
v22.3.5
v22.3.6
v22.4.0
v22.5.0
v22.5.1
v22.6.0
v22.6.1
v22.7.0
v22.8.0
v22.8.1
v22.9.1

v23.*

v23.0.0
v23.0.0-alpha.0
v23.0.0-alpha.1
v23.0.0-alpha.2
v23.0.0-alpha.3
v23.0.0-alpha.4
v23.0.1
v23.0.2
v23.0.3
v23.0.4
v23.0.6
v23.0.7
v23.0.8
v23.0.9
v23.1.0
v23.2.0
v23.3.0
v23.3.1
v23.3.2
v23.3.3
v23.4.0
v23.5.0
v23.5.1
v23.6.0

v24.*

v24.0.0
v24.0.0-alpha.1
v24.0.0-alpha.10
v24.0.0-alpha.11
v24.0.0-alpha.12
v24.0.0-alpha.13
v24.0.0-alpha.2
v24.0.0-alpha.3
v24.0.0-alpha.4
v24.0.0-alpha.5
v24.0.0-alpha.6
v24.0.0-alpha.7
v24.0.0-alpha.8
v24.0.0-alpha.9
v24.1.0
v24.1.1
v24.1.2
v24.1.3
v24.10.0
v24.11.0
v24.12.0
v24.13.0
v24.13.1
v24.13.2
v24.13.3
v24.13.4-alpha.0
v24.2.0
v24.2.1
v24.3.0
v24.4.0
v24.5.0
v24.5.1
v24.5.2
v24.6.0
v24.6.1
v24.6.2
v24.6.3
v24.6.4
v24.6.5
v24.7.0
v24.8.0
v24.8.1
v24.9.0
v24.9.1
v24.9.2
v24.9.3
v24.9.4

v25.*

v25.0.0-alpha.1
v25.0.0-alpha.10
v25.0.0-alpha.2
v25.0.0-alpha.3
v25.0.0-alpha.4
v25.0.0-alpha.5
v25.0.0-alpha.6
v25.0.0-alpha.7
v25.0.0-alpha.8
v25.0.0-alpha.9

v28.*

v28.0.0

v29.*

v29.30.0

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.1.2
v3.10.0
v3.11.0
v3.12.0
v3.13.0
v3.13.1
v3.14.0
v3.15.0
v3.16.0
v3.16.1
v3.17.0
v3.17.1
v3.18.0
v3.19.0
v3.2.0
v3.20.0
v3.21.0
v3.22.0
v3.22.1
v3.22.2
v3.23.0
v3.24.0
v3.25.0
v3.26.0
v3.26.1
v3.26.2
v3.26.3
v3.27.0
v3.3.0
v3.3.1
v3.4.0
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.7.0
v3.8.0
v3.9.0

v4.*

v4.0.0
v4.1.0
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.1.0
v5.10.0
v5.10.1
v5.10.2
v5.10.3
v5.10.4
v5.10.5
v5.11.0
v5.11.1
v5.11.2
v5.11.3
v5.12.0
v5.12.1
v5.13.0
v5.13.1
v5.14.0
v5.14.1
v5.14.2
v5.15.0
v5.16.0
v5.17.0
v5.17.1
v5.18.0
v5.19.0
v5.19.1
v5.2.0
v5.2.1
v5.20.0
v5.22.1
v5.22.2
v5.23.0
v5.23.1
v5.23.2
v5.24.0
v5.24.1
v5.25.0
v5.25.1
v5.26.0
v5.27.0
v5.28.0
v5.28.1
v5.28.2
v5.29.0
v5.3.0
v5.30.0
v5.31.0
v5.31.1
v5.32.0
v5.32.1
v5.33.0
v5.34.0
v5.34.1
v5.35.0
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.7.0
v5.8.0
v5.9.0

v6.*

v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.1.0
v6.2.0
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.4.0
v6.4.1
v6.5.0
v6.5.1
v6.5.2
v6.6.0
v6.6.1
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7

v7.*

v7.0.0
v7.0.1
v7.1.0
v7.10.0
v7.10.1
v7.10.2
v7.10.3
v7.11.0
v7.11.1
v7.11.2
v7.11.3
v7.11.4
v7.12.0
v7.12.1
v7.12.2
v7.13.0
v7.13.1
v7.14.0
v7.14.1
v7.14.2
v7.15.0
v7.15.1
v7.15.2
v7.16.0
v7.17.0
v7.17.1
v7.18.0
v7.18.1
v7.19.0
v7.19.1
v7.2.0
v7.20.0
v7.21.0
v7.22.0
v7.22.1
v7.23.0
v7.23.1
v7.23.2
v7.24.0
v7.24.1
v7.24.2
v7.25.0
v7.26.0
v7.3.0
v7.4.0
v7.5.0
v7.6.0
v7.7.0
v7.8.0
v7.9.0

v8.*

v8.0.0
v8.1.0
v8.2.0
v8.2.1
v8.3.0
v8.4.0
v8.4.1
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v8.6.0
v8.7.0

v9.*

v9.0.0
v9.0.1
v9.1.0
v9.2.0