CVE-2024-39698

Published Jul 9, 2024

Last updated 7 months ago

CVSS high 7.5

Overview

Description: electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 5.9
Exploitability score: 1.6
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-295
security-advisories@github.com: CWE-154

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:*:*:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F77447F6-4E3F-468E-BBBB-AB248C06CF1B",
            "versionEndExcluding": "6.3.0"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha0:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "801B3F79-555D-4FCB-B854-227E8D3FDD9E"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha1:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3B939D2F-400E-478C-8F45-568D5B7C5756"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha2:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4ECAF72F-A2E1-4D12-9797-CA1461931579"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha3:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E03022BB-203E-4750-BCD1-493971C95559"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha4:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "587F242D-22D2-4BE6-BCF0-87C2865546E0"
          },
          {
            "criteria": "cpe:2.3:a:electron:electron-builder:6.3.0:alpha5:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "116D170A-CD87-484A-864E-5CA0D198C947"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References