GHSA-w222-53c6-c86p

Source

https://github.com/advisories/GHSA-w222-53c6-c86p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-w222-53c6-c86p/GHSA-w222-53c6-c86p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w222-53c6-c86p

Aliases

CVE-2018-1000006

Published

2018-01-23T03:57:44Z

Modified

2023-11-08T03:59:33.174686Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote Code Execution in electron

Details

Affected versions of electron may be susceptible to a remote code execution flaw when certain conditions are met: 1. The electron application is running on Windows. 2. The electron application registers as the default handler for a protocol, such as nodeapp://.

This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron.

MacOS and Linux are not vulnerable.

Recommendation

Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance:

If for some reason you are unable to upgrade your Electron version, you can append -- as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash -- signifies the end of command options, after which only positional parameters are accepted.

app.setAsDefaultProtocolClient(protocol, process.execPath, [
  '--your-switches-here',
  '--'
])

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:59:07Z",
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

1.7.0

Fixed

1.7.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-w222-53c6-c86p/GHSA-w222-53c6-c86p.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

1.6.0

Fixed

1.6.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-w222-53c6-c86p/GHSA-w222-53c6-c86p.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

1.8.0

Fixed

1.8.2-beta.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-w222-53c6-c86p/GHSA-w222-53c6-c86p.json"

last_known_affected_version_range

"<= 1.8.2-beta.3"