GHSA-r4pf-3v7r-hh55

Suggest an improvement
Source
https://github.com/advisories/GHSA-r4pf-3v7r-hh55
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r4pf-3v7r-hh55/GHSA-r4pf-3v7r-hh55.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r4pf-3v7r-hh55
Aliases
Related
Published
2024-03-04T20:42:45Z
Modified
2024-03-06T21:36:08Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
Details

Impact

Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the .nsh installer script. NSExec by default searches the current directory of where the installer is located before searching PATH. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file.

Patches

Fixed in https://github.com/electron-userland/electron-builder/pull/8059

Workarounds

None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.

References

https://cwe.mitre.org/data/definitions/426.html https://cwe.mitre.org/data/definitions/427

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:42:45Z",
    "nvd_published_at": "2024-03-06T19:15:08Z",
    "cwe_ids": [
        "CWE-426",
        "CWE-427"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / app-builder-lib

Package

Name
app-builder-lib
View open source insights on deps.dev
Purl
pkg:npm/app-builder-lib

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
24.13.2