HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2024-39698

CVSS 7.5v3.1pub. 2024-07-09upd. 2024-11-21

electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Electron Builder

    APP
    Electron
    6.3.0< 6.3.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-27303HIGH7.3ten sam produkt

electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for m...

CVE-2017-12581HIGH8.1ten sam vendor

GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability...