GHSA-56pc-6jqp-xqj8

Suggest an improvement
Source
https://github.com/advisories/GHSA-56pc-6jqp-xqj8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-56pc-6jqp-xqj8/GHSA-56pc-6jqp-xqj8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-56pc-6jqp-xqj8
Aliases
Related
Published
2020-10-06T17:46:40Z
Modified
2023-11-08T04:02:34.067627Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Context isolation bypass in Electron
Details

Impact

Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 11.0.0-beta.6
  • 10.1.2
  • 9.3.1
  • 8.5.2

For more information

If you have any questions or comments about this advisory: * Email us at security@electronjs.org

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-10-06T17:46:06Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-668",
        "CWE-693"
    ]
}
References

Affected packages

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0-beta.0
Fixed
8.5.2

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
9.0.0-beta.0
Fixed
9.3.1

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
10.0.0-beta.0
Fixed
10.1.2

npm / electron

Package

Affected ranges

Type
SEMVER
Events
Introduced
11.0.0-beta.0
Fixed
11.0.0-beta.6

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-beta.5"
}