8.6
CVE-2021-39184
- EPSS 0.37%
- Veröffentlicht 12.10.2021 19:15:07
- Zuletzt bearbeitet 21.11.2024 06:18:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginElectron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Electronjs ≫ Electron Version >= 10.1.0 < 11.5.0
Electronjs ≫ Electron Version >= 12.0.0 < 12.1.0
Electronjs ≫ Electron Version >= 13.0.0 < 13.3.0
Electronjs ≫ Electron Version14.0.0 Updatebeta1
Electronjs ≫ Electron Version14.0.0 Updatebeta10
Electronjs ≫ Electron Version14.0.0 Updatebeta11
Electronjs ≫ Electron Version14.0.0 Updatebeta12
Electronjs ≫ Electron Version14.0.0 Updatebeta13
Electronjs ≫ Electron Version14.0.0 Updatebeta14
Electronjs ≫ Electron Version14.0.0 Updatebeta15
Electronjs ≫ Electron Version14.0.0 Updatebeta16
Electronjs ≫ Electron Version14.0.0 Updatebeta17
Electronjs ≫ Electron Version14.0.0 Updatebeta18
Electronjs ≫ Electron Version14.0.0 Updatebeta19
Electronjs ≫ Electron Version14.0.0 Updatebeta2
Electronjs ≫ Electron Version14.0.0 Updatebeta20
Electronjs ≫ Electron Version14.0.0 Updatebeta21
Electronjs ≫ Electron Version14.0.0 Updatebeta22
Electronjs ≫ Electron Version14.0.0 Updatebeta23
Electronjs ≫ Electron Version14.0.0 Updatebeta24
Electronjs ≫ Electron Version14.0.0 Updatebeta25
Electronjs ≫ Electron Version14.0.0 Updatebeta3
Electronjs ≫ Electron Version14.0.0 Updatebeta4
Electronjs ≫ Electron Version14.0.0 Updatebeta5
Electronjs ≫ Electron Version14.0.0 Updatebeta6
Electronjs ≫ Electron Version14.0.0 Updatebeta7
Electronjs ≫ Electron Version14.0.0 Updatebeta8
Electronjs ≫ Electron Version14.0.0 Updatebeta9
Electronjs ≫ Electron Version15.0.0 Updatealpha1
Electronjs ≫ Electron Version15.0.0 Updatealpha2
Electronjs ≫ Electron Version15.0.0 Updatealpha3
Electronjs ≫ Electron Version15.0.0 Updatealpha4
Electronjs ≫ Electron Version15.0.0 Updatealpha5
Electronjs ≫ Electron Version15.0.0 Updatealpha6
Electronjs ≫ Electron Version15.0.0 Updatealpha7
Electronjs ≫ Electron Version15.0.0 Updatealpha8
Electronjs ≫ Electron Version15.0.0 Updatealpha9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.579 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.6 | 3.9 | 4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
| security-advisories@github.com | 6.8 | 2.2 | 4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
|
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.