CVEbaza.plSłownik CWECWE-154
Common Weakness Enumeration

CWE-154

Improper Neutralization of Variable Name Delimiters

Kategoria: VariantCVE: 1
Opis

Produkt odbiera dane wejściowe od komponentu nadrzędnego, ale nie neutralizuje lub nieprawidłowo neutralizuje elementy specjalne, które mogą być interpretowane jako ograniczniki nazw zmiennych podczas wysyłania do komponentu podrzędnego. Może to prowadzić do nieprzewidzianego wykonania kodu lub manipulacji zmiennymi.

Description (EN)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.

Podatności CVE z CWE-154 (1)
7.5
CVSS
HIGH
CVE-2024-39698

electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.

pub. 2024-07-09
Informacje
ID: CWE-154
Typ: Variant
Podatności: 1
MITRE CWE ↗
← Słownik CWE
CWE-154 — Nieprawidłowa neutralizacja ograniczników nazw zmiennych | Słownik CWE | CVEbaza.pl