GHSA-8XWG-WV7V-4VQP
Vulnerability from github – Published: 2018-03-26 16:41 – Updated: 2023-09-13 19:06
VLAI?
Summary
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
Details
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
- Runs on Electron 1.7, 1.8, or a 2.0.0-beta
- Allows execution of arbitrary remote code
- Disables Node.js integration
- Does not explicitly declare webviewTag: false in its webPreferences
- Does not enable the nativeWindowOption option
- Does not intercept new-window events and manually override event.newGuest without using the supplied options tag
Recommendation
Update to electron version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version can mitigate the vulnerability with the following code.
app.on('web-contents-created', (event, win) => {
win.on('new-window', (event, newURL, frameName, disposition,
options, additionalFeatures) => {
if (!options.webPreferences) options.webPreferences = {};
options.webPreferences.nodeIntegration = false;
options.webPreferences.nodeIntegrationInWorker = false;
options.webPreferences.webviewTag = false;
delete options.webPreferences.preload;
})
})
// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
win.on('will-attach-webview', (event, webPreferences, params) => {
event.preventDefault();
})
})
Severity ?
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-beta.1"
},
{
"fixed": "2.0.0-beta.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000136"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:26:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.\n\nFor the application to be impacted by this vulnerability it must meet all of these conditions\n\n- Runs on Electron 1.7, 1.8, or a 2.0.0-beta\n- Allows execution of arbitrary remote code\n- Disables Node.js integration\n- Does not explicitly declare webviewTag: false in its webPreferences\n- Does not enable the nativeWindowOption option\n- Does not intercept new-window events and manually override event.newGuest without using the supplied options tag\n\n\n## Recommendation\n\nUpdate to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.\n\nIf you are unable to update your Electron version can mitigate the vulnerability with the following code.\n\n```js\napp.on(\u0027web-contents-created\u0027, (event, win) =\u003e {\n win.on(\u0027new-window\u0027, (event, newURL, frameName, disposition,\n options, additionalFeatures) =\u003e {\n if (!options.webPreferences) options.webPreferences = {};\n options.webPreferences.nodeIntegration = false;\n options.webPreferences.nodeIntegrationInWorker = false;\n options.webPreferences.webviewTag = false;\n delete options.webPreferences.preload;\n })\n})\n\n// and *IF* you don\u0027t use WebViews at all,\n// you might also want\napp.on(\u0027web-contents-created\u0027, (event, win) =\u003e {\n win.on(\u0027will-attach-webview\u0027, (event, webPreferences, params) =\u003e {\n event.preventDefault();\n })\n})\n```",
"id": "GHSA-8xwg-wv7v-4vqp",
"modified": "2023-09-13T19:06:52Z",
"published": "2018-03-26T16:41:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000136"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/12271"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/12292"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/12294"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043"
},
{
"type": "WEB",
"url": "https://electronjs.org/blog/webview-fix"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
},
{
"type": "WEB",
"url": "https://www.electronjs.org/blog/webview-fix"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/574"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…