CVE-2024-27303
March 06, 2024
electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. No known workaround exists. The code executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.
Affected Packages
app-builder-lib (NPM):
Affected version(s) >=20.24.0 <24.13.2Fix Suggestion:
Update to version 24.13.2app-builder-lib (NPM):
Affected version(s) >=20.24.0 <24.13.2Fix Suggestion:
Update to version 24.13.2app-builder-lib (NPM):
Affected version(s) >=20.24.0 <24.13.2Fix Suggestion:
Update to version 24.13.2app-builder-lib (NPM):
Affected version(s) >=20.24.0 <24.13.2Fix Suggestion:
Update to version 24.13.2Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
7
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
EPSS
Base Score:
0.21
