Main Vulnerability Database Vulnerabilities #VU34172

Input validation error in Electron - CVE-2020-4076

Published: July 7, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34172

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-4076

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Electron

Software vendor:
Electron

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Remediation

Install update from vendor's website.

External links

https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824

Input validation error in Electron - CVE-2020-4076

Description

Remediation

External links

Please verify you're human