Vulnerability DatabaseCVE-2022-29247
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-29247
June 13, 2022
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with "nodeIntegrationInSubFrames" enabled which in turn allows effective access to "ipcRenderer". The "nodeIntegrationInSubFrames" option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then "nodeIntegrationInSubFrames" just gives access to the sandboxed renderer APIs, which include "ipcRenderer". If the application then additionally exposes IPC messages without IPC "senderFrame" validation that perform privileged actions or return confidential data this access to "ipcRenderer" can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate "senderFrame".
Affected Packages
electron (NPM):
Affected version(s) >=16.0.0 <16.2.6
Fix Suggestion:
Update to version 16.2.6
electron (NPM):
Affected version(s) >=17.0.0 <17.2.0
Fix Suggestion:
Update to version 17.2.0
electron (NPM):
Affected version(s) >=18.0.0-beta.1 <18.0.0-beta.6
Fix Suggestion:
Update to version 18.0.0-beta.6
electron (NPM):
Affected version(s) >=0.1.0 <15.5.5
Fix Suggestion:
Update to version 15.5.5
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (4)
https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7
https://nvd.nist.gov/vuln/detail/CVE-2022-29247
https://github.com/electron/electron
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29247.json
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
2.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
6.8
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Exposure of Resource to Wrong Sphere
CWE-668
EPSS
Base Score:
0.80