Update dependency electron to v22 [SECURITY]#268
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
a9b3bd6 to
594634b
Compare
594634b to
163566c
Compare
163566c to
eab6f41
Compare
eab6f41 to
76e36bc
Compare
76e36bc to
de8ac9a
Compare
de8ac9a to
e0e93bf
Compare
e0e93bf to
2c52b49
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.0.5→22.3.25Unpreventable top-level navigation
CVE-2020-15174 / GHSA-2q4g-w47c-4674
More information
Details
Impact
The
will-navigateevent that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.Patches
11.0.0-beta.110.0.19.3.08.5.1Workarounds
Sandbox all your iframes using the
sandboxattribute. This will prevent them creating top-frame navigations and is good practice anyway.For more information
If you have any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Context isolation bypass in Electron
CVE-2020-15215 / GHSA-56pc-6jqp-xqj8
More information
Details
Impact
Apps using both
contextIsolationandsandbox: trueare affected.Apps using both
contextIsolationandnativeWindowOpen: trueare affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
11.0.0-beta.610.1.29.3.18.5.2For more information
If you have any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
IPC messages delivered to the wrong frame in Electron
CVE-2020-26272 / GHSA-hvf8-h2qh-37m9
More information
Details
Impact
IPC messages sent from the main process to a subframe in the renderer process, through
webContents.sendToFrame,event.replyor when using theremotemodule, can in some cases be delivered to the wrong frame.If your app does ANY of the following, then it is impacted by this issue:
remotewebContents.sendToFrameevent.replyin an IPC message handlerPatches
This has been fixed in the following versions:
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
CVE-2021-39184 / GHSA-mpjm-v997-c4h4
More information
Details
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPathAPI, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Renderers can obtain access to random bluetooth device without permission in Electron
CVE-2022-21718 / GHSA-3p22-ghq8-v749
More information
Details
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom
select-bluetooth-deviceevent handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.616.0.615.3.514.2.413.6.6Workarounds
Adding this code to your app can workaround the issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
CVE-2022-29247 / GHSA-mq8j-3h7h-p8g7
More information
Details
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFramesenabled which in turn allows effective access toipcRenderer.Please note the misleadingly named
nodeIntegrationInSubFramesoption does not implicitly grant Node.js access rather it depends on the existingsandboxsetting. If your application is sandboxed thennodeIntegrationInSubFramesjust gives access to the sandboxed renderer APIs (which includesipcRenderer).If your application then additionally exposes IPC messages without IPC
senderFramevalidation that perform privileged actions or return confidential data this access toipcRenderercan in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.615.5.5Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrameas per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AutoUpdater module fails to validate certain nested components of the bundle
CVE-2022-29257 / GHSA-77xc-hjv8-ww97
More information
Details
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.015.5.0Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Exfiltration of hashed SMB credentials on Windows via file:// redirect
CVE-2022-36077 / GHSA-p2jh-44qj-pf2v
More information
Details
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')event, for all WebContents:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd
CVE-2023-39956 / GHSA-7x97-j373-85x5
More information
Details
Impact
Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as
myapp --helpSpecifically this issue can only be exploited if the following conditions are met:
This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
26.0.0-beta.1325.5.024.7.123.3.1322.3.19For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron affected by libvpx's heap buffer overflow in vp8 encoding
CVE-2023-5217 / GHSA-qqvq-6xgj-jw8g
More information
Details
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ASAR Integrity bypass via filetype confusion in electron
CVE-2023-44402 / GHSA-7m48-wc93-9g85
More information
Details
Impact
This only impacts apps that have the
embeddedAsarIntegrityValidationandonlyLoadAppFromAsarfuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the
resourcesfolder in your app installation on Windows which these fuses are supposed to protect against.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
27.0.0-alpha.726.2.125.8.124.8.322.3.24For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
electron/electron (electron)
v22.3.25: electron v22.3.25Compare Source
Release Notes for v22.3.25
Other Changes
v22.3.24: electron v22.3.24Compare Source
Release Notes for v22.3.24
Other Changes
v22.3.23: electron v22.3.23Compare Source
Release Notes for v22.3.23
Other Changes
v22.3.22: electron v22.3.22Compare Source
Release Notes for v22.3.22
Fixes
Other Changes
v22.3.21: electron v22.3.21Compare Source
Release Notes for v22.3.21
Fixes
Other Changes
1444438.v22.3.18: electron v22.3.18Compare Source
Release Notes for v22.3.18
Other Changes
1454860. #38949v22.3.17: electron v22.3.17Compare Source
Release Notes for v22.3.17
Other Changes
1454860. #38949v22.3.16: electron v22.3.16Compare Source
Release Notes for v22.3.16
Other Changes
1450536.v22.3.15: electron v22.3.15Compare Source
Release Notes for v22.3.15
Other Changes
1450536.v22.3.14: electron v22.3.14Compare Source
Release Notes for v22.3.14
Other Changes
1450536.v22.3.13: electron v22.3.13Compare Source
Release Notes for v22.3.13
Other Changes
1437346.1439691.1425115.1431761.1442263. #383321447430.1444195.v22.3.12: electron v22.3.12Compare Source
Release Notes for v22.3.12
Other Changes
1423360. #38277v22.3.11: electron v22.3.11Compare Source
Release Notes for v22.3.11
Other Changes
1423360. #38277v22.3.10: electron v22.3.10Compare Source
Release Notes for v22.3.10
Other Changes
v22.3.9: electron v22.3.9Compare Source
Release Notes for v22.3.9
Other Changes
v22.3.8: electron v22.3.8Compare Source
Release Notes for v22.3.8
Fixes
v22.3.7: electron v22.3.7Compare Source
Release Notes for v22.3.7
Fixes
shell.openExternal()options. #38092 (Also in 23, 24, 25)Other Changes
1360571. #380621404790. #380641417317. #376651427388. #379831428820. #38068v22.3.6: electron v22.3.6Compare Source
Release Notes for v22.3.6
Fixes
node-gypversion innode.herror. #37942 (Also in 23, 24, 25)Other Changes
v22.3.5: electron v22.3.5Compare Source
Release Notes for v22.3.5
Fixes
port.postMessageinMessagePortMainwith some invalid parameters could cause a crash. #37725 (Also in 23, 24)Other Changes
1412991. #376591418734. #37661v22.3.4: electron v22.3.4Compare Source
Release Notes for v22.3.4
Fixes
session.cookies.setfailure. #37595 (Also in 23, 24)Other Changes
1415249. #376711416916. #376571417585. #37663v22.3.3: electron v22.3.3Compare Source
Release Notes for v22.3.3
Fixes
Other Changes
1414224. #37483v22.3.2: electron v22.3.2Compare Source
Release Notes for v22.3.2
Fixes
minWidth/minHeightandmaxWidth/maxHeightwould not be enforced if the user set anaspectRatioon macOS. #37458 (Also in 23, 24)hasReplyandactionsto a main process Notification on macOS resulted in the first action being obscured and unavailable. #37447 (Also in 23, 24)Other Changes
contents.takeHeapSnapshot. #37459 (Also in 23, 24)v22.3.1: electron v22.3.1Compare Source
Release Notes for v22.3.1
Other Changes
Documentation
v22.3.0: electron v22.3.0Compare Source
Release Notes for v22.3.0
Features
webContents.print(). #37263 (Also in 23, 24)Fixes
BrowserViews are present and a user attempts to preventbeforeunloadin the renderer process. #37266 (Also in 23, 24)Other Changes
v22.2.1: electron v22.2.1Compare Source
Release Notes for v22.2.1
Features
Fixes
nodeIntegrationInWorker: true. #37102 (Also in 23)Documentation
v22.2.0: electron v22.2.0Compare Source
Release Notes for v22.0.0
Stack Upgrades