etcher icon indicating copy to clipboard operation
etcher copied to clipboard

Published 20 hours ago verified publisher icon balena-io

CVE-2023-4863 in Electron

Open wwuck opened this issue 1 year ago • 2 comments

  • Etcher version: 1.18.12
  • Operating system and architecture: macOS Intel

Hi,

It looks like the latest release of Balena Etcher is bundled with a version of Electron that is vulnerable to CVE-2023-4863. Can we please get an update to fix this?

More details: https://infosec.exchange/@TomSellers/111126339492371432 https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/

wwuck avatar Sep 28 '23 11:09 wwuck

Already on it. As there's no loading of arbitrary webp images, the risk of exploitation is low.

aethernet avatar Sep 28 '23 11:09 aethernet

Thanks for the quick update

wwuck avatar Sep 28 '23 11:09 wwuck