gns3-web-ui icon indicating copy to clipboard operation
gns3-web-ui copied to clipboard

Published 20 hours ago verified publisher icon GNS3

CVE-2022-36077 (High) detected in electron-13.6.6.tgz

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

CVE-2022-36077 - High Severity Vulnerability

Vulnerable Library - electron-13.6.6.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-13.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

  • ngx-childprocess-0.0.6.tgz (Root Library)
    • electron-1.6.10.tgz
      • :x: electron-13.6.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents as a workaround.

Publish Date: 2022-11-08

URL: CVE-2022-36077

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/electron/electron/security/advisories/GHSA-p2jh-44qj-pf2v

Release Date: 2022-11-08

Fix Resolution: electron - 18.3.7,19.0.11,20.0.1

mend-for-github-com[bot] avatar Nov 11 '22 14:11 mend-for-github-com[bot]