Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXcyMjItNTNjNi1jODZw
Remote Code Execution in electron
Affected versions of electron
may be susceptible to a remote code execution flaw when certain conditions are met:
- The electron application is running on Windows.
- The electron application registers as the default handler for a protocol, such as
nodeapp://
.
This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron.
MacOS and Linux are not vulnerable.
Recommendation
Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance:
If for some reason you are unable to upgrade your Electron version, you can append --
as the last argument when calling app.setAsDefaultProtocolClient
, which prevents Chromium from parsing further options. The double dash --
signifies the end of command options, after which only positional parameters are accepted.
app.setAsDefaultProtocolClient(protocol, process.execPath, [
'--your-switches-here',
'--'
])
Permalink: https://github.com/advisories/GHSA-w222-53c6-c86pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXcyMjItNTNjNi1jODZw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 7 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-w222-53c6-c86p, CVE-2018-1000006
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000006
- https://electronjs.org/blog/protocol-handler-fix
- https://github.com/advisories/GHSA-w222-53c6-c86p
- https://www.npmjs.com/advisories/563
- https://github.com/electron/electron/releases/tag/v1.8.2-beta.4
- https://medium.com/@Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
- https://www.exploit-db.com/exploits/43899/
- https://www.exploit-db.com/exploits/44357/
- http://www.securityfocus.com/bid/102796
Blast Radius: 43.7
Affected Packages
npm:electron
Dependent packages: 5,167Dependent repositories: 93,246
Downloads: 3,165,628 last month
Affected Version Ranges: >= 1.8.0, <= 1.8.2-beta.3, >= 1.6.0, < 1.6.16, >= 1.7.0, < 1.7.11
Fixed in: 1.8.2-beta.4, 1.6.16, 1.7.11
All affected versions: 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.8.1, 1.8.2-beta.1, 1.8.2-beta.2, 1.8.2-beta.3
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.5.0, 1.5.1, 1.6.16, 1.6.17, 1.6.18, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.1.11, 7.1.12, 7.1.13, 7.1.14, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.1.0, 11.1.1, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.5.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 12.0.11, 12.0.12, 12.0.13, 12.0.14, 12.0.15, 12.0.16, 12.0.17, 12.0.18, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.3.0, 13.4.0, 13.5.0, 13.5.1, 13.5.2, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.6.6, 13.6.7, 13.6.8, 13.6.9, 14.0.0, 14.0.1, 14.0.2, 14.1.0, 14.1.1, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4, 14.2.5, 14.2.6, 14.2.7, 14.2.8, 14.2.9, 15.0.0, 15.1.0, 15.1.1, 15.1.2, 15.2.0, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.3.6, 15.3.7, 15.4.0, 15.4.1, 15.4.2, 15.5.0, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.5.6, 15.5.7, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6, 16.0.7, 16.0.8, 16.0.9, 16.0.10, 16.1.0, 16.1.1, 16.2.0, 16.2.1, 16.2.2, 16.2.3, 16.2.4, 16.2.5, 16.2.6, 16.2.7, 16.2.8, 17.0.0, 17.0.1, 17.1.0, 17.1.1, 17.1.2, 17.2.0, 17.3.0, 17.3.1, 17.4.0, 17.4.1, 17.4.2, 17.4.3, 17.4.4, 17.4.5, 17.4.6, 17.4.7, 17.4.8, 17.4.9, 17.4.10, 17.4.11, 18.0.0, 18.0.1, 18.0.2, 18.0.3, 18.0.4, 18.1.0, 18.2.0, 18.2.2, 18.2.3, 18.2.4, 18.3.0, 18.3.1, 18.3.2, 18.3.3, 18.3.4, 18.3.5, 18.3.6, 18.3.7, 18.3.8, 18.3.9, 18.3.11, 18.3.12, 18.3.13, 18.3.14, 18.3.15, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 19.0.5, 19.0.6, 19.0.7, 19.0.8, 19.0.9, 19.0.10, 19.0.11, 19.0.12, 19.0.13, 19.0.14, 19.0.15, 19.0.16, 19.0.17, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 19.1.9, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.1.0, 20.1.1, 20.1.2, 20.1.3, 20.1.4, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 20.3.5, 20.3.6, 20.3.7, 20.3.8, 20.3.9, 20.3.10, 20.3.11, 20.3.12, 21.0.0, 21.0.1, 21.1.0, 21.1.1, 21.2.0, 21.2.1, 21.2.2, 21.2.3, 21.3.0, 21.3.1, 21.3.3, 21.3.4, 21.3.5, 21.4.0, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.1.0, 22.2.0, 22.2.1, 22.3.0, 22.3.1, 22.3.2, 22.3.3, 22.3.4, 22.3.5, 22.3.6, 22.3.7, 22.3.8, 22.3.9, 22.3.10, 22.3.11, 22.3.12, 22.3.13, 22.3.14, 22.3.15, 22.3.16, 22.3.17, 22.3.18, 22.3.21, 22.3.22, 22.3.23, 22.3.24, 22.3.25, 22.3.26, 22.3.27, 23.0.0, 23.1.0, 23.1.1, 23.1.2, 23.1.3, 23.1.4, 23.2.0, 23.2.1, 23.2.2, 23.2.3, 23.2.4, 23.3.0, 23.3.1, 23.3.2, 23.3.3, 23.3.4, 23.3.5, 23.3.6, 23.3.7, 23.3.8, 23.3.9, 23.3.10, 23.3.11, 23.3.12, 23.3.13, 24.0.0, 24.1.0, 24.1.1, 24.1.2, 24.1.3, 24.2.0, 24.3.0, 24.3.1, 24.4.0, 24.4.1, 24.5.0, 24.5.1, 24.6.0, 24.6.1, 24.6.2, 24.6.3, 24.6.4, 24.6.5, 24.7.0, 24.7.1, 24.8.0, 24.8.1, 24.8.2, 24.8.3, 24.8.4, 24.8.5, 24.8.6, 24.8.7, 24.8.8, 25.0.0, 25.0.1, 25.1.0, 25.1.1, 25.2.0, 25.3.0, 25.3.1, 25.3.2, 25.4.0, 25.5.0, 25.6.0, 25.7.0, 25.8.0, 25.8.1, 25.8.2, 25.8.3, 25.8.4, 25.9.0, 25.9.1, 25.9.2, 25.9.3, 25.9.4, 25.9.5, 25.9.6, 25.9.7, 25.9.8, 26.0.0, 26.1.0, 26.2.0, 26.2.1, 26.2.2, 26.2.3, 26.2.4, 26.3.0, 26.4.0, 26.4.1, 26.4.2, 26.4.3, 26.5.0, 26.6.0, 26.6.1, 26.6.2, 26.6.3, 26.6.4, 26.6.5, 26.6.6, 26.6.7, 26.6.8, 26.6.9, 26.6.10, 27.0.0, 27.0.1, 27.0.2, 27.0.3, 27.0.4, 27.1.0, 27.1.2, 27.1.3, 27.2.0, 27.2.1, 27.2.2, 27.2.3, 27.2.4, 27.3.0, 27.3.1, 27.3.2, 27.3.3, 27.3.4, 27.3.5, 27.3.6, 27.3.7, 27.3.8, 27.3.9, 27.3.10, 27.3.11, 28.0.0, 28.1.0, 28.1.1, 28.1.2, 28.1.3, 28.1.4, 28.2.0, 28.2.1, 28.2.2, 28.2.3, 28.2.4, 28.2.5, 28.2.6, 28.2.7, 28.2.8, 28.2.9, 28.2.10, 28.3.0, 28.3.1, 28.3.2, 28.3.3, 29.0.0, 29.0.1, 29.1.0, 29.1.1, 29.1.2, 29.1.3, 29.1.4, 29.1.5, 29.1.6, 29.2.0, 29.3.0, 29.3.1, 29.3.2, 29.3.3, 29.4.0, 29.4.1, 29.4.2, 29.4.3, 29.4.5, 29.4.6, 30.0.0, 30.0.1, 30.0.2, 30.0.3, 30.0.4, 30.0.5, 30.0.6, 30.0.7, 30.0.8, 30.0.9, 30.1.0, 30.1.1, 30.1.2, 30.2.0, 30.3.0, 30.3.1, 30.4.0, 30.5.0, 30.5.1, 31.0.0, 31.0.1, 31.0.2, 31.1.0, 31.2.0, 31.2.1, 31.3.0, 31.3.1, 31.4.0, 31.5.0, 31.6.0, 31.7.0, 31.7.1, 31.7.2, 31.7.3, 32.0.0, 32.0.1, 32.0.2, 32.1.0, 32.1.1, 32.1.2, 32.2.0, 32.2.1, 32.2.2, 33.0.0, 33.0.1, 33.0.2