HIGH 8.8

GHSA-fjqr-fx3f-g4rv

Electron protocol handler browser vulnerable to Command Injection

상세

Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / electron

최초 영향 버전: 0 수정 버전: 1.8.2-beta5

수정 npm install electron@1.8.2-beta5

참고

https://nvd.nist.gov/vuln/detail/CVE-2018-1000118 [ADVISORY]
https://github.com/electron/electron/commit/ce361a12e355f9e1e99c989f1ea056c9e502dbe7 [WEB]
https://electronjs.org/releases#1.8.2-beta.5 [WEB]
https://github.com/advisories/GHSA-fjqr-fx3f-g4rv [ADVISORY]