GHSA-34h3-8mw4-qw57

Source

https://github.com/advisories/GHSA-34h3-8mw4-qw57

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-34h3-8mw4-qw57/GHSA-34h3-8mw4-qw57.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-34h3-8mw4-qw57

Aliases

CVE-2024-29900

Published

2024-03-29T20:16:22Z

Modified

2024-03-29T20:41:57.826467Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

@electron/packager's build process memory potentially leaked into final executable

Details

Impact

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

Patches

This issue is patched in 18.3.1

Workarounds

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

References

Affected packages

npm / @electron/packager

Package

Name: @electron/packager; View open source insights on deps.dev
Purl: pkg:npm/%40electron/packager

Affected ranges

Type: SEMVER
Events: Introduced

18.3.0

Fixed

18.3.1

Affected versions

18.*

18.3.0