Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0M20tZmZ3ci1ycGNj

SSL Validation Defaults to False in electron-packager

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

1. Update to version 7.0.0 or later.
2. Delete the electron-download cache folder, which is by default located at ~/.electron.

Permalink: https://github.com/advisories/GHSA-q43m-ffwr-rpcc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0M20tZmZ3ci1ycGNj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 5 years ago
Updated: over 1 year ago

Identifiers: GHSA-q43m-ffwr-rpcc, CVE-2016-10534
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-10534
• https://github.com/electron-userland/electron-packager/issues/333
• https://github.com/advisories/GHSA-q43m-ffwr-rpcc
• https://www.npmjs.com/advisories/104

Repository: https://github.com/electron-userland/electron-packager
Blast Radius: 0.0

Affected Packages