CVE-2022-29257
June 13, 2022
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.
Affected Packages
electron (NPM):
Affected version(s) >=16.0.0 <16.2.0Fix Suggestion:
Update to version 16.2.0electron (NPM):
Affected version(s) >=17.0.0 <17.2.0Fix Suggestion:
Update to version 17.2.0electron (NPM):
Affected version(s) >=0.1.0 <15.5.0Fix Suggestion:
Update to version 15.5.0electron (NPM):
Affected version(s) >=18.0.0-beta.1 <18.0.0-beta.6Fix Suggestion:
Update to version 18.0.0-beta.6Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
6.5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Input Validation
EPSS
Base Score:
0.45
