CVE-2021-39184

Published Oct 12, 2021

Last updated 2 years ago

CVSS high 8.6

Overview

Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.6
Impact score: 4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-862
security-advisories@github.com: CWE-668

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7ED24D03-59B2-4E91-B807-7BD1B09D8389",
            "versionEndExcluding": "11.5.0",
            "versionStartIncluding": "10.1.0"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3DE5DF76-68D8-4E5F-8916-6F3F7140E7EE",
            "versionEndExcluding": "12.1.0",
            "versionStartIncluding": "12.0.0"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "56BC24C9-C297-4D02-8601-B8F37449350B",
            "versionEndExcluding": "13.3.0",
            "versionStartIncluding": "13.0.0"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3152223A-E182-45F8-87EC-264B2DDD4B10"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta10:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D2007F6E-ECCB-4A7B-A4B6-24104A8D8AB6"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta11:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7134F6E7-427F-4187-B94B-1B1C1B1FE73B"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta12:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "82F84AAE-AD55-4565-9D41-DCAFCAA5D0AD"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta13:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D63A3C29-E6F0-41A3-838F-F7BFA893CF7C"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta14:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4DD814A9-5A50-49EF-9053-B36B127D7AAB"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta15:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E0B813DB-A89D-48AD-A3F0-3D68AB7A087F"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta16:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C192B552-BE06-480C-86A7-59CC2291EB27"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta17:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CFDC76F2-A8CA-4063-A8DA-F63C04D70760"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta18:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "98A43F4A-ED19-47D4-B4F9-7BC769E2F7F3"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta19:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DDB7F3FF-CDFF-4E23-B2D1-EF0AC8C75D10"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "430C057D-8574-44DB-B8A4-8ECD9BBA6B48"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta20:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2CF66D1F-77B6-4A5E-AD93-921FF2FC3309"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta21:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "871B25E4-F705-491D-842E-3D79B9351DAD"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta22:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2A59303D-7105-44E5-A91F-CBEF2F672F7A"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta23:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B2E8CF66-C123-4A63-BE8D-90321FF8A348"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta24:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FEE680F3-CB4A-4298-A4B1-FDDE6BAB0896"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta25:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "65DE71FB-0390-4D80-982E-D8709CD73573"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0CF035B4-FEF5-4D53-B975-CAF66ACA1860"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "88607FE5-5E91-4CD9-831A-2C353779BA1A"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DAE6B51E-F47B-48F5-8249-C958E85AE708"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "65B43BEC-8941-4587-A7AA-000456568E40"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta7:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "69CBF166-FF15-4E1C-83C1-207C1F67A7E7"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta8:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0817340D-82C9-4D79-9FF3-36F13260542D"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:14.0.0:beta9:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F20755C8-D323-4CF8-ACA0-199081610342"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FD9A6155-8B6B-4C1B-80CB-A26779559AAF"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F84883AD-A2C0-4075-BDB7-AAB8307DC099"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "028E4C03-4A98-4311-8A19-825035C8EB14"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "78FAAB9C-73D0-4DBC-B78F-293D75FDFC1C"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9709716E-896F-430E-9C5F-F898B46256E3"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "669329B9-EA55-4FEC-8543-A8FA1C0733BA"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha7:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "99904BC0-56A9-405C-A4C3-BCE30B840DB7"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha8:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "755AE879-ACB3-450A-85B4-095E93CCF77A"
          },
          {
            "criteria": "cpe:2.3:a:electronjs:electron:15.0.0:alpha9:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "37428807-70D6-496C-82A0-2084F2BC2D51"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References