CVE-2023-44402

EPSS 0.21%
Veröffentlicht 01.12.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 08:25:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ASAR Integrity bypass via filetype confusion in electron

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled.  Apps without these fuses enabled are not impacted.  This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too.  i.e. the ability to edit files inside the `.app` bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 11 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Electronjs ≫ Electron SwPlatformnode.js Version <= 22.3.24

Electronjs ≫ Electron SwPlatformnode.js Version >= 23.0.0 <= 23.3.14

Electronjs ≫ Electron SwPlatformnode.js Version >= 24.0.0 <= 24.8.3

Electronjs ≫ Electron SwPlatformnode.js Version >= 25.0.0 <= 25.8.1

Electronjs ≫ Electron SwPlatformnode.js Version >= 26.0.0 <= 26.2.1

Electronjs ≫ Electron Version27.0.0 Updatealpha1 SwPlatformnode.js

Electronjs ≫ Electron Version27.0.0 Updatealpha2 SwPlatformnode.js

Electronjs ≫ Electron Version27.0.0 Updatealpha3 SwPlatformnode.js

Electronjs ≫ Electron Version27.0.0 Updatealpha4 SwPlatformnode.js

Electronjs ≫ Electron Version27.0.0 Updatealpha5 SwPlatformnode.js

Electronjs ≫ Electron Version27.0.0 Updatealpha6 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.107

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	6.1	1.3	4.7	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://www.electronjs.org/docs/latest/tutorial/fuses

Product

https://github.com/electron/electron/pull/39788

Issue Tracking

https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-44402

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-44402

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-44402

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-44402