SB2020070733 - Multiple vulnerabilities in Electron
Published: July 7, 2020 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2020-15096)
The vulnerability allows a remote privileged user to manipulate data.
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
2) Input validation error (CVE-ID: CVE-2020-4075)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
3) Input validation error (CVE-ID: CVE-2020-4076)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
4) Input validation error (CVE-ID: CVE-2020-4077)
The vulnerability allows a remote authenticated user to execute arbitrary code.
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Remediation
Install update from vendor's website.
References
- https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg
- https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824
- https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm
- https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79
- https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g